Created on
‎05-17-2024
01:40 AM
Edited on
‎08-08-2024
06:55 AM
By
Jean-Philippe_P
Description | This article discusses some RADIUS errors that might appear in the RADIUS logs and how to resolve them. |
Scope | FortiNAC and FortiNAC-F. |
Solution |
Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: [eaptls verify] = length included Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2 [length 0005] Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2 [length 0002] Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: TLS Alert read:fatal:access denied Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: SSL_read Error Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Error in fragmentation logic Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Failed in __FUNCTION__ (SSL_read): ../openssl-3.0.12/ssl/record/rec_layer_s3.c[1586]:error:0A000419:SSL routines::tlsv1 alert access denied Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: [eaptls process] = fail Tue Apr 30 13:15:02 2024 : ERROR: (7) eap-DefaultConfig: Failed continuing EAP TLS (13) session. EAP sub-module failed Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Sending EAP Failure (code 4) ID 182 length 4 Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Failed in EAP select Tue Apr 30 13:15:02 2024 : Debug: (7) modsingle[authenticate]: returned from eap-DefaultConfig (rlm_eap)
167) eap_tls: ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose (167) eap_tls: (TLS) send TLS 1.2 Alert, fatal unsupported_certificate (167) eap_tls: ERROR: (TLS) Alert write:fatal:unsupported certificate (167) eap_tls: ERROR: (TLS) Server : Error in error (167) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed Verify the below are correct:
(31) eap_tls: TLS-Client-Cert-Serial := "xxxxxxxxxxxxxxxxxxxxx" (31) eap_tls: TLS-Client-Cert-Subject := "xxxxxxx"
Tue Apr 30 18:33:14 2024 : Debug: (165) } # server DefaultConfig-inner-tunnel Tue Apr 30 18:33:14 2024 : Debug: (165) Virtual server sending reply Tue Apr 30 18:33:14 2024 : Debug: (165) MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected" Tue Apr 30 18:33:14 2024 : Debug: (165) EAP-Message = 0x04f00004 Tue Apr 30 18:33:14 2024 : Debug: (165) Message-Authenticator = 0x00000000000000000000000000000000 Tue Apr 30 18:33:14 2024 : Debug: (165) Module-Failure-Message = "Credentials Invalid (MSCHAP2)" Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply code 3 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected" Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: EAP-Message = 0x04f00004 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Module-Failure-Message = "Credentials Invalid (MSCHAP2)" Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply RADIUS code 3 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected" Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: EAP-Message = 0x04f00004 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Module-Failure-Message = "Credentials Invalid (MSCHAP2)" Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Tunneled authentication was rejected
(1) eap_ttls: ERROR: TLS Alert write:fatal:internal error FortiNAC will also print the below message in the RADIUS logs to view the RADIUS certificate compatibility:
Related article: Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.