Description
This article describes cases with 802.1x EAP-TLS authentication where switches are configured with a non-default MTU value which prevents Local Radius in FortiNAC from responding to authentication requests.
Scope
FortiNAC v9.x.
Solution
To troubleshoot Local Radius, it is are normally checked the logs in two places:
- Tailing output.master by enabling debugging for local radius.
campusmgrdebug -name RadiusAccess true
logs
tf output.master
- Monitoring the logs in /var/log/radius/radius.log.
More detailed information and log examples are provided in Troubleshooting Tip: Local RADIUS log message examples.
There are cases where the switch MTU is set to a non-default value.
The below example shows the AVPs in an access request from a cisco 2960 switch with default switch MTU set to 9198.
- Mar 1 ----- 2022 : Debug: (0) x User-Name = 'abc@fortinet.lab'.
- Mar 1 ----- 2022 : Debug: (0) Service-Type = Framed-User.
- Mar 1 ----- 2022 : Debug: (0) Cisco-AVPair = 'service-type=Framed'.
- Mar 1 ----- 2022 : Debug: (0) x Framed-MTU = 9198.
Using 802.1x with EAP-TLS in the radius logs would show no access-reject and no interesting events in output.master.
Changing the switch MTU in the Switch to an appropriate value will resolve the issue.
In case of troubleshooting or other specific network conditions there is also the option to change the MTU size on FNAC interfaces through the CLI as below:
FNAC> ifconfig eth0 mtu 1400
In this case, the MTU value for the eth0 interface will be set to 1400 (default 1500).
The same command can be applied if the MTU change is required on the eth1 interface.
- Packet Capture
On the RADIUS client and RADIUS server (FortiNAC), create a simultaneous packet capture and see if one node sends packets that the other may not receive. The Framed-MTU may be visible in the Attribute list of the RADIUS packets.
Related articles:
Troubleshooting Tip: FortiNAC Local Radius Debug and Troubleshooting via GUI.
Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI.
