Description

This article describes cases with 802.1x EAP-TLS authentication where switches are configured with a non-default MTU value which prevents Local Radius in FortiNAC to respond to authentication requests.

Scope

Version: 9.x.

Solution

In order to troubleshoot Local Radius, it is normally checked the logs in two places:

1. Tailing output.master by enabling debugging for local radius.

campusmgrdebug -name RadiusAccess true

logs

tf output.master

2. Monitoring the logs in /var/log/radius/radius.log.

More detailed information and log examples are provided in Troubleshooting Tip: Local RADIUS log message examples.

There are cases where the switch MTU is set to a non-default value.

The below example shows the AVPs in an access request from a cisco 2960 switch with default switch MTU set to 9198. 

- Mar 1 ----- 2022 : Debug: (0) x User-Name = 'abc@fortinet.lab'.
- Mar 1 ----- 2022 : Debug: (0) Service-Type = Framed-User.
- Mar 1 ----- 2022 : Debug: (0) Cisco-AVPair = 'service-type=Framed'.
- Mar 1 ----- 2022 : Debug: (0) x Framed-MTU = 9198.

Using 802.1x with EAP-TLS in the radius logs would show no access-reject and no interesting events in output.master.

Changing the switch MTU to an appropriate value would resolve the issue.

In case of troubleshooting or other specific network conditions there is also the option to change the MTU size on FNAC interfaces through the CLI as below:

FNAC> ifconfig eth1 mtu 1400

In this case, the MTU value for the eth1 interface will be set to 1400 (default 1500).

3. Packet Capture 

On the RADIUS client and RADIUS server (FortiNAC), create a simultaneous packet capture and see if one node sends packets that the other may not receive. The Framed-MTU may be visible in the Attribute list of the RADIUS packets. 

Related articles:

• Troubleshooting Tip: FortiNAC Local Radius Debug and Troubleshooting via GUI.
• Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI.