| Description |
This article describes about log entries that may be printed in the Local RADIUS logs and possible causes.
To enable debug and view logs via UI (versions 9.2 and greater): See 'Debug & Troubleshooting' in the Administration UI
To enable debug and view logs via CLI |
| Scope | Versions: 8.x & 9.x |
| Solution |
The below entries refer to:
Example 1: User account password expired
Fri Jan 14 09:43:46 2022 : Auth: (11577) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account password has expired. (0xc0000071)'): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Example 2: User account locked
Fri Jan 14 09:53:22 2022 : Auth: (11602) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Cause: User account in the authentication server had been locked.
Example 3: Successful login
Fri Jan 14 09:54:31 2022 : Auth: (11635) Login OK: [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Example 4: Unable to find ip X.X.X.X in cache. Searching database
yams INFO :: 2022-04-05 12:27:00:035 :: ManagedElementServer.getDeviceByIP() unable to find ip 192.168.10.1 in cache. Searching database.
Cause: Source-IP and Nas-IP of the configured Radius client (fortigate) not matching the device IP in the Elements tab in FortiNAC model configuration. This results in authentication failure. This log refers to the IP of the Radius client (device) which will forward the authentication requests to FNAC.
Solution: Configure the Source-IP and Nas-IP in Radius Client to match the IP configured in the Elements tab in FortiNAC model configuration.
FortiGate configuration:
# config user radius edit FortiNAC end
FortiNAC GUI:
Other related documentation: |
