1. Error 0A000419 will appear in the RADIUS logs if entering a different server name/FQDN than the FortiNAC RADIUS certificate CN/Subject and Subject Alternative Names (SAN):
   
   

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: [eaptls verify] = length included

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2  [length 0005]

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2  [length 0002]

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: TLS Alert read:fatal:access denied

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: SSL_read Error

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Error in fragmentation logic

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Failed in __FUNCTION__ (SSL_read): ../openssl-3.0.12/ssl/record/rec_layer_s3.c[1586]:error:0A000419:SSL routines::tlsv1 alert access denied

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: [eaptls process] = fail

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap-DefaultConfig: Failed continuing EAP TLS (13) session.  EAP sub-module failed

Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Sending EAP Failure (code 4) ID 182 length 4

Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Failed in EAP select

Tue Apr 30 13:15:02 2024 : Debug: (7)     modsingle[authenticate]: returned from eap-DefaultConfig (rlm_eap)

Make sure the RADIUS Subject is entered in the 'Correct to these servers (examples:srv1;srv2;.*\.srv3\.com)'.
Type the name exactly as it appears in the subject field of each RADIUS server certificate, or use regular expressions (regex) to specify the server name:

2. Error 0A000086 OpenSSL says error 26: unsuitable certificate purpose:

167) eap_tls:   ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose

(167) eap_tls: (TLS) send TLS 1.2 Alert, fatal unsupported_certificate

(167) eap_tls: ERROR: (TLS) Alert write:fatal:unsupported certificate

(167) eap_tls: ERROR: (TLS) Server : Error in error

(167) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed

Verify that the below are correct:

• Remove the wrong client certificate sent by the supplicant from the Personal certificate list. Verify the certificate sent by looking at RADIUS debug logs:

(31) eap_tls: TLS-Client-Cert-Serial := "xxxxxxxxxxxxxxxxxxxxx"

(31) eap_tls: TLS-Client-Cert-Subject := "xxxxxxx"

• 'Key Usage' field with 'Digital Signature, Key Encipherment' attributes.
• The 'Enhanced Key Usage' field includes 'Client Authentication' (1.3.6.1.5.5.7.3.2) attributes.
• Subject Alternative Name has value OtherName: Principle Name=<user@labdc.local>
• Make sure the client certificate is signed by the Correct Root Certificate.

3. EAP-PEAP-MSCHAPv2 FortiNAC is unable to authenticate the user toward LDAP due to LDAP communication issues between FortiNAC and the LDAP server:
   
   

Tue Apr 30 18:33:14 2024 : Auth: (165)   Login incorrect (mschap-winbind: Failed to read from child output): [LABDC\peapuser] (from client 192.168.10.10 port 1 cli 34-E6-D7-3A-6A-47 via TLS tunnel)

Tue Apr 30 18:33:14 2024 : Debug: (165) } # server DefaultConfig-inner-tunnel

Tue Apr 30 18:33:14 2024 : Debug: (165) Virtual server sending reply

Tue Apr 30 18:33:14 2024 : Debug: (165)   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165)   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165)   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165)   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply code 3

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply RADIUS code 3

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Tunneled authentication was rejected

4. If the Web RADIUS certificate is a wildcard certificate, it will end up with error:0A000076:SSL routines::no suitable signature algorithm.

(1) eap_ttls: ERROR: TLS Alert write:fatal:internal error
tls: TLS_accept: Error in error
(1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:0A000076:SSL routines::no suitable signature algorithm
(1) eap_ttls: ERROR: System call (I/O) error (-1)
(1) eap_ttls: ERROR: TLS receive handshake failed during operation
(1) eap_ttls: ERROR: [eaptls process] = fail
(1) # Executing group from file /etc/raddb/radiusd.conf
(1) Login incorrect (eap_ttls: TLS Alert write:fatal:internal error): [user2] (from client 172.16.14.247 port 7 cli 04-7D-7B-DE-A6-80)

FortiNAC will also print the following message in the RADIUS logs to view the RADIUS certificate compatibility:

Exiting normally
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
EAP session with state 0x488d114e4a140422c6918763e282ab04 did not finish
Please read http://wiki.freeradius.org/guide/Certificate_Compatibility    
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

5. EAP-TLS is failing with OpenSSL error 20: unable to get local issuer certificate. This occurs when the Root CA is not uploaded to the FortiNAC trusted list. Hence, FortiNAC complains about trusting the client's certificate. In this case, it is necessary to upload the Root certificate under System -> Certificate Management -> On the upper right corner select 'Trusted Certificates' -> Upload the Root certificate as 'RADIUS Endpoint Trust [radius]'.

    

Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) OpenSSL says error 20: unable to get local issuer certificate"
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 43
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Alert write:fatal:unknown CA"
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 38
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Server : Error in error"
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 151
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Failed reading from OpenSSL: ..\/openssl-3.0.12\/ssl\/statem\/statem_srvr.c[3523]:error:0A000086:SSL routines::certificate verify failed"
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 44
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) System call (I\/O) error (-1)"
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 60
Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) EAP Receive handshake failed during operation"

6. FortiNAC is sending Access-reject after Pre-Auth.

yams.RadiusAccess.98:3B:XX:XX:XX:XX.RadiusAccessEngine FINE :: 2024-09-05 15:43:59:173 :: #676 :: Get Legacy Isolate Action - Unauthenticated Host on Authentication Enforced SSID
yams.RadiusAccess.98:3B:XX:XX:XX:XX.RadiusAccessEngine FINE :: 2024-09-05 15:43:59:173 :: #676 :: Get Legacy Isolate Action returned: LegacyIsolateAction [accessValue=null, action=0, logicalNetworkName=Authentication]

yams.RadiusAccess.98:3B:XX:XX:XX:XX.RadiusAccessEngine FINE :: 2024-09-05 15:43:59:173 :: #676 :: [Post-Auth] Returns: [Access-Reject] Authentication - Access Deny (Post-Auth)

Thu Sep 5 15:43:59 2024 : Auth: (7) Login incorrect (Authentication - Access Deny (Post-Auth): [Forti\hawada] (from client 10.18.xx.xx port 2 cli 98-3B-XX-XX-XX-XX via TLS tunnel)

The failure is due to the SSID logicalNetworkName=Authentication (Predefined logical network)is set to 'DENY'.

1. In the FortiNAC Administration UI, navigate to Network -> Inventory.
2. Select the FGT/Controller/switch -> SSID tab.
3. Select the SSID '<SSID>', then 'right-click' 'SSID configuration'.
4. A new window will appear.
   

Select the following:

• RADIUS Proxy:
• Use RADIUS Server Definitions Inherited from the Device.
• Network Access:
  • Use Custom Settings.
  • RADIUS Mode: 'Local'.
  • Default RADIUS Attribute Group: 'RFC_VLAN'.
  • Local Server Configuration: <RADIUS config>
    • Default Wireless: Enforce
      • Isolation VLAN.
      • Use the default.
    • Registration: Enforce.
      • Isolation VLAN.
      • Use Default.
    • Authentication: Bypass.
    • Production: Enforce.
      • Production VLAN.
      • Use Default.
        

If it is a wired user, then click on Model Configuration and make the same changes.

Another Post-Auth Access Deny due to legacy Registration VLAN set to Deny:

Wed Feb 28 15:24:44 2024 : Debug: (22) rest_reject: Module-Failure-Message := "Registration - Access Deny (Post-Auth)"

Wed Feb 28 15:24:44 2024 : Auth: (22) Rejected in post-auth: [host/LAPTOP.LAB.LOCAL] (from client 10.2.xx.xx port 2 cli 64-BC-XX-XX-XX-XX via TLS tunnel)

The legacy Registration (Predefined logical network) must be set to 'Enforce'.

7. MAC Authentication Bypass (MAB) is failing with the 'Unknown Local user' error.

For MAB authentication, 'Calling-Station-Id', 'User-Name', and 'User-Password' must all be the same and contain a MAC address, otherwise, the following error will be returned by FortiNAC.

Wed Feb 28 20:06:50 2024 : Auth: (308) Login incorrect (Unknown local user): [f4xxxxxxxx10] (from client 172.xx.xx.xx port 1 cli F4-XX-XX-XX-XX-10)

8. To resolve this error, uncheck 'Verify the server's identity by validating the certificate has been disabled' on the supplicant side (Windows machine):

This behavior will occur if the RADIUS certificate is a wildcard certificate.

• Windows 10 devices do not accept wildcard certificates (This is true as of December 2020; tested with Windows 10).
• However, in Windows 11, the behavior has changed. Check the Wildcard certificate.
  
  

(542) eap_tls: ERROR: TLS Alert read:fatal:access denied
(542) eap_tls: SSL_read Error
(542) eap_tls: ERROR: Error in fragmentation logic
(542) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
(542) eap_tls: ERROR: [eaptls process] = fail
(542) eap-SLDefault_RADIUS: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(542) eap-SLDefault_RADIUS: Sending EAP Failure (code 4) ID 62 length 4

Or:

Debug: (522) eap_peap: <<< recv TLS 1.2 [length 0002]
ERROR: (522) eap_peap: TLS Alert read:fatal:access denied
Debug: (522) eap_peap: SSL_read Error
ERROR: (522) eap_peap: Error in fragmentation logic
ERROR: (522) eap_peap: Failed in __FUNCTION__ (SSL_read): s3_pkt.c[1493]:error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied

Related documents:

• Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local RADIUS via GUI and CLI
• Technical Tip: EAP-TLS Authentication does not work over IPSec tunnel due to MTU Fragmentation
• Machine Authentication - FortiNAC-F documentation