Troubleshooting Tip: Common local RADIUS failures, debug logs, and examples

This article describes some common local Radius failures in FortiNAC and provides accompanying debug logs and examples.

To enable debugging and view logs via the GUI (versions 9.2 and greater), refer to 'Debug & Troubleshooting' in the Administration UI as per this article.

To enable debugging and view logs via the CLI:

1. Log in as root to the appliance CLI.
2. Run the following command:

tail -F /var/log/radius/radius.log

3. Attempt to connect with a test host.
4. Monitor the log.

Issue 1: Port already in use.

Associated logs that indicate this:

Tue Aug 22 13:06:56 2022 : Error: Failed binding to auth address * port 1812: Address already in use

Cause:

The same listening port is used by the local radius service and proxy radius. This will cause a conflict and therefore cause the local radius service to fail to start up.

Solution:

Change the listening port for either the local radius or the proxy radius. For example local radius port 1812, proxy radius port 1645.

To use this port for local RADIUS, perform the following steps:

1. Go to the Network - > RADIUS - > Proxy tab and change the port of Authentication Port and Accounting Port to 1645 and 1646.
2. If RADIUS Proxy is not used, uncheck the boxes and save the settings.
3. Select Local Service and Enable the Service.

Remember to align the NAS device to send radius traffic to the appropriately designated port.

Issue 2: No mutually acceptable types found.

Associated logs that indicate this:

Tue Aug 22 13:06:56 2022 : Auth: (414) Login incorrect (eap: No mutually acceptable types found): [host/edvin.fortinet.lab] (from client 10.x.x.c port 574 cli xx-xx-xx-xx-xx-xx)

Cause:

EAP type mismatch between the client and the FortiNAC acting as a radius server.

Solution:

EAP types have not been checked in radius configuration. The user can enable all of them, so one can accommodate each type of EAP request coming from different clients, which will avoid causing any compatibility problems.

Figure 1. Radius Configuration tab

1. Navigate to the Local Radius Configuration.
2. Select the modify Icon in the TLS Service Configuration.
3. Enable Ciphers that are supported by the Windows 7 client.
4. Select Ok.
5. Select 'Save Settings'.

Figure 2. Local Radius configuration

Issue 3: Radius requests rejected or ignored from the NAS client.

Associated logs that indicate this:

Tue Aug 22 13:06:56 2022 :Error:Ignoring request to auth address * port 1812 from unknown client x.x.x.x port xxxxx udp

Cause:

1. This is caused when the NAS IP in the radius request is different from that specified in the Element Tab in the modeled device in FortiNAC.
2. Another possible reason for this message is when there is another device in FortiNAC modeled with the same IP. This duplicate entry will cause FortiNAC to ignore the auth requests.

Solution:

1. Either the IP on the element tab has to be aligned, or the NAS device (switch/WLC) has to be checked so radius requests come from the intended management IP.
2. Identify in the FortiNAC CLI which devices are modeled with the affected IP:

FortiNAC-F:

execute enter-shell

device -ip X.X.X.X <- Replace with the affected IP.

FortiNAC 9.2/9.4 (CentOS):

device -ip X.X.X.X

Issue 4: Radius Reject events due to Timeout messages.

This could happen in scenarios where Radius 802.1x EAP-TLS with Computer certificates is being used for authentication.

Event logs will show the following:

1/26/2024 12:19 RADIUS Authentication Failure FortiNAC RADIUS Access-Reject - Host: 48:51:C5:XX:XX:XX / User: host/YYYYY / Device: 0.0.0.0 / Cause: FNAC Communication Timeout

Output Radius logs messages:

Fri Jan 26 10:46:25 2024 : Debug: literal --> FNAC Communication Timeout
Fri Jan 26 10:46:25 2024 : Debug: (326747) rest_reject: EXPAND FNAC Communication Timeout
Fri Jan 26 10:46:25 2024 : Debug: (326747) rest_reject: --> FNAC Communication Timeout
Fri Jan 26 10:46:25 2024 : Debug: (326747) rest_reject: Module-Failure-Message := "FNAC Communication Timeout"
Fri Jan 26 10:46:25 2024 : Debug: rlm_rest (rest_reject): Released connection (9901)

Output master shows the following exceptions related to LDAP communication issues:

yams SEVERE :: 2024-01-26 12:28:47:129 :: #948 :: javax.naming.CommunicationException: X.X.X.X:636 [Root exception is java.net.SocketTimeoutException: connect timed out]
yams SEVERE :: 2024-01-26 12:28:47:129 :: #948 :: at com.sun.jndi.ldap.Connection.<init>(Connection.java:233)
yams SEVERE :: 2024-01-26 12:28:47:129 :: #948 :: at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
yams SEVERE :: 2024-01-26 12:28:47:129 :: #948 :: at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615

Cause: 

FortiNAC in scenarios with host authentication will perform lookups on the LDAP server related to TLS attributes it receives from Radius access requests.
Since there is a communication issue with the configured LDAP, FortiNAC will not get a response and it times out by responding then with Access-reject-event.

Solution:

Validate network communication between FortiNAC and LDAP.

Remove the secondary LDAP server configuration in FortiNAC or try re-implementing the LDAP integration.

Related documents:

Configure Local RADIUS Server settings - FortiNAC administration guide.

Troubleshooting Tip: Local Radius server logs.

Troubleshooting Tip: Local RADIUS log message examples.