FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amahdi
Staff
Staff
Article Id 322893
Description

This article describes a scenario where the user is facing issues while  utilizing wireless authentication via radius through FortiNAC while using a loopback interface as  source IP under user radius settings:

 

config system interface
    edit "loopback-root"
        set vdom "root"
        set ip 10.250.255.1 255.255.255.255
        set allowaccess ping https ssh snmp http fgfm fabric
        set type loopback
        set role lan
        set snmp-index 54

However, upon connecting to the Wi-Fi SSID, it authenticates to the radius successfully through FortiNAC. It matches against the proper network access policies, but the devices never leave the isolation subnet and get stuck in the isolation VLAN.

Scope FortiGate.
Solution

To troubleshoot the issue further, the following output needs to be collected and provided to TAC for further investigation:

 

  1. Radius traffic packet capture:

diag sniffer packet any 'port 1812 or 1813 or 3799 or 1700' 6 0 a


Where packets for RADIUS UDP ports 1812 Auth | 1813 Acct | 3799 or 1700 CoA/DM can be examined.

 

  1. Collect radius-das debugs and wpad debugs by running the following:

diagnose debug app radius-das 255
diagnose debug app wpad 7
diaggonse debug enable

 

  1. Before/after the client connects, check the pmk list:

diagnose wpa wpad sta
diagnose wpa wpad pmk list