Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff

Created on ‎12-19-2022 03:26 AM Edited on ‎01-04-2023 10:08 PM By Community Manager

Article Id 240180

Technical Tip: Event: Authentication failure

Description

 

This article describes how to fix repetitive authentication failures that are seen on FortiNAC GUI.

 

Scope

 

FortiNAC 9.2.x and 9.4.x.

 

Solution

 

Under Logs -> Events & Alarms, repetitive authentication failures can be seen on FortiNAC GUI.

 

Users are authenticated via RADIUS doing MAC authentication or EAP-TLS (machine) and are getting network access without any issue.

 

Date Event Element Message
 11:40 Authentication Failure D4:54:8B:AA:88:33 User host/pc-01 failed to log on IP address 192.168.50.11
 11:40 Authentication Failure Alex_IPad User B4-F6-1C-13-15-17 failed to log on IP address 192.168.60.11

 

This error can be checked by enabling the following debug:

 

> nacdebug -name DirectoryAuthentication true

yams.DirectoryAuthentication FINER :: 2022-12-19 10:51:19:773 :: #81 :: DirectoryAuthentication::getUserByUserID failed to find null trying other formats
yams.DirectoryAuthentication FINER :: 2022-12-19 10:51:19:774 :: #81 :: DirectoryAuthentication::loginHost getUserByUserID returning null
yams.DirectoryAuthentication FINER :: 2022-12-19 10:51:19:774 :: #81 :: DirectoryAuthentication::loginHost origClient IS null throw log on failure

 

This logs are not related to RADIUS authentication.

 

This is a specific feature that is used to log in users based on user information obtainable from a network device through an L2 poll. In this case, this attempt to log in does not filter out mac addresses or host/* names (typical Windows AD machine auth. user id).
 
It can be verified if facing this issue by disabling the L2 poll user login feature for devices that are contributing to the event logs regarding the authentication problem user info. It can be done by setting the attribute 'LoginUserFromForwardingData' to false on the device model.

device -ip <IP of Network Device> -setAttr -name LoginUserFromForwardingData -value false
 

Example: 

 

device -ip 10.0.0.1 -setAttr -name LoginUserFromForwardingData -value false

 

By disabling this option, it will affect FortiNAC policies (if there are any configured) that rely on having a logged-on user, and that user is no longer being logged on through another means (RADIUS, agent, etc.).
 
A new line is added for that device:
 

> device -ip 10.0.0.1
...
Name = LoginUserFormForwardingData value = false length = 5

1873
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.