Description
This article describes cases with 802.1x EAP-TLS authentication where switches are configured with a non-default MTU value which prevents Local Radius in FortiNAC to respond to authentication requests.
Scope
Version: 9.x.
Solution
In order to troubleshoot Local Radius, it is normally checked the logs in two places:
a) Tailing output.master by enabling debugging for local radius.
campusmgrdebug -name RadiusAccess true
logs
tf output.master
b) Monitoring the logs in /var/log/radius/radius.log.
More detailed information and log examples are provided below: article:
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Local-RADIUS-log-message-examples/ta-...
There are cases where the switch MTU is set to a non-default value.
In the below example we can see the AVPs in an access request from a cisco 2960 switch with default switch MTU set to 9198.
- Mar 1 ----- 2022 : Debug: (0) x User-Name = 'abc@fortinet.lab'.
- Mar 1 ----- 2022 : Debug: (0) Service-Type = Framed-User.
- Mar 1 ----- 2022 : Debug: (0) Cisco-AVPair = 'service-type=Framed'.
- Mar 1 ----- 2022 : Debug: (0) x Framed-MTU = 9198.
Using 802.1x with EAP-TLS in the radius logs we would see no access-reject and no interesting events in output.master.
Changing the switch MTU to an appropriate value would resolve the issue.
In case of troubleshooting or other specific network conditions there is also the option to change the MTU size on FNAC interfaces through the CLI as below:
FNAC> ifconfig eth1 mtu 1400
In this case we would set the MTU value for eth1 interface to 1400 (default 1500).
Other related articles:
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-FortiNAC-Local-Radius-Debug-amp/ta-p/...
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Troubleshoot-and-Debug-FortiNAC-Local...
