Created on 08-22-2022 01:40 PM Edited on 02-16-2024 01:33 AM By Anthony_E
Description |
This article describes some common local Radius failures in FortiNAC and provides accompanying debug logs and examples.
To enable debugging and view logs via the GUI (versions 9.2 and greater), refer to 'Debug & Troubleshooting' in the Administration UI as per this article.
To enable debugging and view logs via the CLI:
tail -F /var/log/radius/radius.log
|
Scope | FortiNAC v8.8.x, v9.1.x, v9.2.x, v9.4.x. |
Solution |
Issue 1: Port already in use.
Associated logs that indicate this:
Tue Aug 22 13:06:56 2022 : Error: Failed binding to auth address * port 1812: Address already in use
Cause:
The same listening port is used by the local radius service and proxy radius. This will cause a conflict and therefore cause the local radius service to fail to start up.
Solution:
Change the listening port for either the local radius or the proxy radius. For example local radius port 1812, proxy radius port 1645. To use this port for local RADIUS, perform the following steps:
Remember to align the NAS device to send radius traffic to the appropriately designated port.
Issue 2: No mutually acceptable types found.
Associated logs that indicate this:
Tue Aug 22 13:06:56 2022 : Auth: (414) Login incorrect (eap: No mutually acceptable types found): [host/edvin.fortinet.lab] (from client 10.x.x.c port 574 cli xx-xx-xx-xx-xx-xx)
Cause:
EAP type mismatch between the client and the FortiNAC acting as a radius server.
EAP types have not been checked in radius configuration. The user can enable all of them, so one can accommodate each type of EAP request coming from different clients, which will avoid causing any compatibility problems.
Figure 1. Radius Configuration tab
Figure 2. Local Radius configuration
Issue 3: Radius requests rejected or ignored from the NAS client.
Associated logs that indicate this:
Tue Aug 22 13:06:56 2022 :Error:Ignoring request to auth address * port 1812 from unknown client x.x.x.x port xxxxx udp
Cause:
Solution:
FortiNAC-F:
execute enter-shell device -ip X.X.X.X <- Replace with the affected IP.
FortiNAC 9.2/9.4 (CentOS):
device -ip X.X.X.X
Issue 4: Radius Reject events due to Timeout messages.
This could happen in scenarios where Radius 802.1x EAP-TLS with Computer certificates is being used for authentication.
Event logs will show the following:
Output Radius logs messages:
Fri Jan 26 10:46:25 2024 : Debug: literal --> FNAC Communication Timeout
Output master shows the following exceptions related to LDAP communication issues:
yams SEVERE :: 2024-01-26 12:28:47:129 :: #948 :: javax.naming.CommunicationException: X.X.X.X:636 [Root exception is java.net.SocketTimeoutException: connect timed out]
Cause: FortiNAC in scenarios with host authentication will perform lookups on the LDAP server related to TLS attributes it receives from Radius access requests.
Solution: Validate network communication between FortiNAC and LDAP. Remove the secondary LDAP server configuration in FortiNAC or try re-implementing the LDAP integration.
Related documents: Configure Local RADIUS Server settings - FortiNAC administration guide. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.