FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.

This article describes some common local Radius failures in FortiNAC, the accompanying debug logs and few examples.


To enable debug and view logs via UI (versions 9.2 and greater):


See  'Debug & Troubleshooting' in the Administration UI


To enable debug and view logs via CLI

1) Log in as root to the appliance CLI.
2) Type 

tail -F /var/log/radius/radius.log
3) Attempt to connect with a test host.
4) Monitor the log.

Scope 8.8.x, 9.1.x, 9.2.x, 9.4.x

Issue 1: Port already in use


Associated logs that indicate this:


Tue Aug 22 13:06:56 2022 : Error: Failed binding to auth address * port 1812: Address already in use




The same listening port is used by local radius service and proxy radius. This will cause a conflict and therefore cause the local radius service to fail starting up




Change listening port for either local radius or proxy radius. For example, local radius port 1812, proxy radius port 1645.

If one wants to use this port for local RADIUS, perform the following:

1) Go to Network - > RADIUS - > Proxy tab and change the port of Authentication Port and Accounting Port to 1645 and 1646.

2) If RADIUS Proxy is not used, uncheck the boxes and save the settings.

3) Then select Local Service and Enable the Service.


Keep in mind to align the NAS device to send radius traffic to the appropriate designed port


Issue 2: No mutually acceptable types found


Associated logs that indicate this :


Tue Aug 22 13:06:56 2022 : Auth: (414) Login incorrect (eap: No mutually acceptable types found): [host/edvin.fortinet.lab] (from client 10.x.x.c port 574 cli xx-xx-xx-xx-xx-xx)




EAP type mismatch between client and FortiNAC acting as radius server



- EAP types have not been checked in radius configuration. User can enable all of them, so one can accommodate each type of EAP request coming from different clients, it will not cause any compatibility problems





- Some clients use legacy TLS protocol/ciphers. In that case, legacy TLS protocols will need to be enabled. To Enable Legacy Ciphers in FortiNAC radius configuration:

1) Navigate to the Local Radius Configuration.
2) Select the modify Icon in the TLS Service Configuration.
3) Enable Ciphers that are supported by the Windows 7 client.
4) Select Ok.
5) Select 'Save Settings'




Issue 3: Radius requests rejected or ignored from the NAS client


Associated logs that indicate this:


Tue Aug 22 13:06:56 2022 :Error:Ignoring request to auth address * port 1812 from unknown client x.x.x.x port xxxxx udp




This is caused when the NAS IP in the radius request is different from that specified in the Element Tab in the modeled device in FortiNAC.




Either the IP on the element tab has to be aligned, either the NAS device (switch/WLC) has to be checked so radius requests come from the intended management IP


Related documentation: