Fortinet Community

ethomollari · ‎08-22-2022

Description

This article describes some common local Radius failures in FortiNAC, the accompanying debug logs and few examples.

To enable debug and view logs via UI (versions 9.2 and greater):

See 'Debug & Troubleshooting' in the Administration UI

https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-FortiNAC-Local-Radius-Debug-amp/ta-p/...

To enable debug and view logs via CLI

1) Log in as root to the appliance CLI.
2) Type

tail -F /var/log/radius/radius.log
3) Attempt to connect with a test host.
4) Monitor the log.

Scope

8.8.x, 9.1.x, 9.2.x, 9.4.x

Solution

Issue 1: Port already in use

Associated logs that indicate this:

Tue Aug 22 13:06:56 2022 : Error: Failed binding to auth address * port 1812: Address already in use

Cause:

The same listening port is used by local radius service and proxy radius. This will cause a conflict and therefore cause the local radius service to fail starting up

Solution:

Change listening port for either local radius or proxy radius. For example, local radius port 1812, proxy radius port 1645.

If one wants to use this port for local RADIUS, perform the following:

1) Go to Network - > RADIUS - > Proxy tab and change the port of Authentication Port and Accounting Port to 1645 and 1646.

2) If RADIUS Proxy is not used, uncheck the boxes and save the settings.

3) Then select Local Service and Enable the Service.

Keep in mind to align the NAS device to send radius traffic to the appropriate designed port

Issue 2: No mutually acceptable types found

Associated logs that indicate this :

Tue Aug 22 13:06:56 2022 : Auth: (414) Login incorrect (eap: No mutually acceptable types found): [host/edvin.fortinet.lab] (from client 10.x.x.c port 574 cli xx-xx-xx-xx-xx-xx)

Cause:

EAP type mismatch between client and FortiNAC acting as radius server

Solution:

- EAP types have not been checked in radius configuration. User can enable all of them, so one can accommodate each type of EAP request coming from different clients, it will not cause any compatibility problems

- Some clients use legacy TLS protocol/ciphers. In that case, legacy TLS protocols will need to be enabled. To Enable Legacy Ciphers in FortiNAC radius configuration:

1) Navigate to the Local Radius Configuration.
2) Select the modify Icon in the TLS Service Configuration.
3) Enable Ciphers that are supported by the Windows 7 client.
4) Select Ok.
5) Select 'Save Settings'

Issue 3: Radius requests rejected or ignored from the NAS client

Associated logs that indicate this:

Tue Aug 22 13:06:56 2022 :Error:Ignoring request to auth address * port 1812 from unknown client x.x.x.x port xxxxx udp

Cause:

This is caused when the NAS IP in the radius request is different from that specified in the Element Tab in the modeled device in FortiNAC.

Solution:

Either the IP on the element tab has to be aligned, either the NAS device (switch/WLC) has to be checked so radius requests come from the intended management IP

Fortinet Community

Troubleshooting Tip: Local RADIUS common failures, debug logs and examples