1. Error 0A000419 will appear in the RADIUS logs if entering a different server name/FQDN than the FortiNAC RADIUS certificate CN/Subject and Subject Alternative Names (SAN):
   
   

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: [eaptls verify] = length included

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2  [length 0005]

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: <<< recv TLS 1.2  [length 0002]

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: TLS Alert read:fatal:access denied

Tue Apr 30 13:15:02 2024 : Debug: (7) eap_tls: SSL_read Error

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Error in fragmentation logic

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: Failed in __FUNCTION__ (SSL_read): ../openssl-3.0.12/ssl/record/rec_layer_s3.c[1586]:error:0A000419:SSL routines::tlsv1 alert access denied

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap_tls: [eaptls process] = fail

Tue Apr 30 13:15:02 2024 : ERROR: (7) eap-DefaultConfig: Failed continuing EAP TLS (13) session.  EAP sub-module failed

Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Sending EAP Failure (code 4) ID 182 length 4

Tue Apr 30 13:15:02 2024 : Debug: (7) eap-DefaultConfig: Failed in EAP select

Tue Apr 30 13:15:02 2024 : Debug: (7)     modsingle[authenticate]: returned from eap-DefaultConfig (rlm_eap)

Make sure the RADIUS Subject is entered in the 'Correct to these servers (examples:srv1;srv2;.*\.srv3\.com)'.
Type the name exactly as it appears in the subject field of each RADIUS server certificate or use regular expressions (regex) to specify the server name:

2. Error 0A000086 OpenSSL says error 26: unsuitable certificate purpose:

167) eap_tls:   ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose

(167) eap_tls: (TLS) send TLS 1.2 Alert, fatal unsupported_certificate

(167) eap_tls: ERROR: (TLS) Alert write:fatal:unsupported certificate

(167) eap_tls: ERROR: (TLS) Server : Error in error

(167) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed

Verify the below are correct:

• Remove the wrong client certificate sent by the supplicant from the Personal certificate list. Verify the certificate sent by looking at RADIUS debug logs:

(31) eap_tls: TLS-Client-Cert-Serial := "xxxxxxxxxxxxxxxxxxxxx"

(31) eap_tls: TLS-Client-Cert-Subject := "xxxxxxx"

• 'Key Usage' field with 'Digital Signature, Key Encipherment' attributes.
• The 'Enhanced Key Usage' field includes 'Client Authentication' (1.3.6.1.5.5.7.3.2) attributes.
• Subject Alternative Name has value OtherName: Principle Name=<user@labdc.local>
• Make sure the client certificate is signed by the Correct Root Certificate.

3. EAP-PEAP-MSCHAPv2 FortiNAC is unable to authenticate the user toward LDAP due to LDAP communication issues between FortiNAC and the LDAP server:
   
   Tue Apr 30 18:33:14 2024 : Auth: (165)   Login incorrect (mschap-winbind: Failed to read from child output): [LABDC\peapuser] (from client 192.168.10.10 port 1 cli 34-E6-D7-3A-6A-47 via TLS tunnel)

Tue Apr 30 18:33:14 2024 : Debug: (165) } # server DefaultConfig-inner-tunnel

Tue Apr 30 18:33:14 2024 : Debug: (165) Virtual server sending reply

Tue Apr 30 18:33:14 2024 : Debug: (165)   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165)   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165)   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165)   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply code 3

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Got tunneled reply RADIUS code 3

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   MS-CHAP-Error = "\360E=691 R=1 C=00908ce71bf5c81896c3ef83690fc3ac V=3 M=Authentication rejected"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   EAP-Message = 0x04f00004

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap:   Module-Failure-Message = "Credentials Invalid (MSCHAP2)"

Tue Apr 30 18:33:14 2024 : Debug: (165) eap_peap: Tunneled authentication was rejected

4. If the Web RADIUS certificate is a wildcard certificate, it will end up with error:0A000076:SSL routines::no suitable signature algorithm.

(1) eap_ttls: ERROR: TLS Alert write:fatal:internal error
tls: TLS_accept: Error in error
(1) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:0A000076:SSL routines::no suitable signature algorithm
(1) eap_ttls: ERROR: System call (I/O) error (-1)
(1) eap_ttls: ERROR: TLS receive handshake failed during operation
(1) eap_ttls: ERROR: [eaptls process] = fail
(1) # Executing group from file /etc/raddb/radiusd.conf
(1) Login incorrect (eap_ttls: TLS Alert write:fatal:internal error): [user2] (from client 172.16.14.247 port 7 cli 04-7D-7B-DE-A6-80)

FortiNAC will also print the below message in the RADIUS logs to view the RADIUS certificate compatibility:

Exiting normally
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
EAP session with state 0x488d114e4a140422c6918763e282ab04 did not finish
Please read http://wiki.freeradius.org/guide/Certificate_Compatibility    
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

5. 5EAP-TLS is failing with OpenSSL error 20: unable to get local issuer certificate. This occurs when Root CA is not uploaded to the FortiNAC trusted list. Hence, FortiNAC complains about trusting the client's certificate. In this case, it is necessary to upload the Root  certificate under System -> Certificate Management -> On the upper right corner select 'Trusted Certificates' -> Upload the Root certificate as 'RADIUS Endpoint Trust [radius]'.

    

   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) OpenSSL says error 20: unable to get local issuer certificate"
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 43
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Alert write:fatal:unknown CA"
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 38
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Server : Error in error"
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 151
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) Failed reading from OpenSSL: ..\/openssl-3.0.12\/ssl\/statem\/statem_srvr.c[3523]:error:0A000086:SSL routines::certificate verify failed"
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 44
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) System call (I\/O) error (-1)"
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Length : 60
   Wed Aug 7 14:48:51 2024 : Debug: (11) rest_reject: Value : "eap_tls: (TLS) EAP Receive handshake failed during operation"

    

    

Related article:

Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI

Machine Authentication - FortiNAC-F documentation