It is necessary to enable the below debug commands on FortiNAC before troubleshooting:
CentOS:
# nacdebug -name RadiusAccess true # nacdebug -name RadiusManager true
FortiNACOS:
# execute enter-shell # nacdebug -name RadiusAccess true # nacdebug -name RadiusManager true
Troubleshoot guest authentication to the captive portal page:
- The user receives Isolation VLAN upon his initial connection to guest SSID:
yams.RadiusAccess.12:34:56:78:9A:BC.RadiusAccessEngine FINE :: 2021-08-17 12:38:18:212 :: #2296 :: [Post-Auth] Returns: [Access-Accept] yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:38:18:212 :: #2296 :: [Access-Accept] Post-Auth Response (3 RadAttrs):
- After submitting the guest credentials, it is possible to see that no RADIUS packet is sent/received (CoA or Access-Request).
- After the guest user receives the validated Contact details Page and select 'OK', a Radius Access-Request & Access-Accept and disconnect-request are sent by FortiNAC:
This leads the FortiAP to disconnect the session and causes a new authentication request to be sent on behalf of the user machine. A MAB authentication access-request will be sent from the FortiAP to FortiNAC.
The user machine is not responsible for the new auth request, but the client should detect that he has been disconnected and needs to re-connect to the SSID (this happens automatically).
A new Access-Request is sent for MAB by the FortiAP:
-------------------------------------------------------------------------------------- yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3468 :: [Access-Request] Authenticate Request (12 RadAttrs): yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- Fortinet-AP-Name = [FAP] (RadAttr Type=string) yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- User-Name = [12-34-56-78-9A-BC ] (RadAttr Type=string) yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- User-Password = [***] (RadAttr Type=User-Password)
FortiNAC sends the Access-Accept including the Guest VLAN:
----------------------------------------------------------------------------- yams.RadiusAccess.12:34:56:78:9A:BC.RadiusAccessEngine FINE :: 2021-08-17 12:40:36:481 :: #3467 :: [Post-Auth] Returns: [Access-Accept] yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: [Access-Accept] Post-Auth Response (3 RadAttrs): yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481:: #3467 :: -- Tunnel-Medium-Type = [IEEE-802] (RadAttr) yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481:: #3467 :: -- Tunnel-Private-Group-Id = [12] (RadAttr) yams.RadiusAccess.12:34:56:78:9A:BC CONFIG :: 2021-08-17 12:40:36:481 :: #3467 :: -- Tunnel-Type = [VLAN] (RadAttr)
Disconnect-request and disconnect-ACK received after the Access-Accept:
yams.RadiusManager INFO :: 2021-08-17 12:40:38:481 :: #298 :: ClearSessThread2 Disconnect request to 10.11.28.254 for 12:34:56:78:9A:BC succeeded
- FortiGate, acting as a wireless controller (WLC), receives the RADIUS Attributes in the Access-Accept and changes the VLAN on the FortiAP. Some iOS devices will not receive an IP address from the guest VLAN after authentication. This is due to iOS devices not initiating a new DHCP request toward the Production DHCP server, which is responsible for providing addresses to the guest device.
In that case, it is recommended to set the registration lease time in FortiNAC's config wizard to a low value, like 3 minutes.
Disable debugs, unlike FortiGate, the debugs do NOT time out. They will write a lot of logs until reboot, affecting the performance of the VM and potentially affecting other virtual machines on the same hypervisor due to IO load:
CentOS:
# nacdebug -name RadiusAccess false # nacdebug -name RadiusManager false
FortiNACOS:
# execute enter-shell # nacdebug -name RadiusAccess false # nacdebug -name RadiusManager false
5. Once testing is complete and debugs are disabled, collect the grab-log-snapshot and attach them to the ticket.
Related article: Technical Tip: FortiNAC Guest Captive Portal configuration and workflow
|