FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
This article describes the behavior where in High Availability configurations, the RADIUS health check fails when the RADIUS service is running properly. It can be triggered when the Require Message-Authenticator attribute is set to 'enable' under Network -> RADIUS -> Configuration in the FortiNAC Admin GUI. When the health check fails, FortiNAC initiates a failover to the secondary.
Enabled: Require Message-Authenticator attribute for all Access-Request, Access-Accept, and Access-Reject messages to enable BlastRADIUS protection.
Disabled: BlastRADIUS protection is disabled.
Auto: Enables BlastRADIUS protection for NAS clients that send the Message-Authenticator attribute while still supporting legacy NAS clients that do not. Note that BlastRADIUS protection will not be enabled for legacy NAS clients.
The authentication test packets sent by the health check do not contain the Message-Authenticator attribute and are dropped.
This leads FortiNAC's health check logic to think RADIUS is not responding and triggers a failover.
Scope
FortiNAC vF7.2.8, vF7.4.0, vF7.6.0 and greater.
Solution
This will be addressed in a future release.
Workaround: FortiNAC GUI Method. Go under Network -> RADIUS -> Configuration and set the Require Message-Authenticator option to either Auto or Disabled.
Workaround - FortiNAC CLI Method (FortiNAC-OS):
Disable the RADIUS component of the health check. Login as admin and type:
