FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Description

This article describes about log entries that may be printed in the Local RADIUS logs and possible causes.

 

To enable debug and view logs via UI (versions 9.2 and greater):

See  'Debug & Troubleshooting' in the Administration UI
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/366458/configure-local-radius... 

 

To enable debug and view logs via CLI
1) Log in as root to the appliance CLI.
2) Type
tail -F /var/log/radius/radius.log
3) Attempt to connect with a test host.
4) Monitor the log.

Scope Versions: 8.x & 9.x
Solution

The below entries refer to:
Client IP: 172.20.100.100
Client domain\UserID: org\larrys
Client MAC: 9C:B6:D0:11:33:44

 

Example 1: User account password expired

 

Fri Jan 14 09:43:46 2022 : Auth: (11577) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account password has expired. (0xc0000071)'): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Fri Jan 14 09:43:46 2022 : Auth: (11578) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344)


Cause: User account password in the authentication server have expired.


Solution: Have user change password.

 

Example 2: User account locked

 

Fri Jan 14 09:53:22 2022 : Auth: (11602) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Fri Jan 14 09:53:22 2022 : Auth: (11603) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344)

 

Cause: User account in the authentication server had been locked.


Solution: Unlock user account.

 

Example 3: Successful login

 

Fri Jan 14 09:54:31 2022 : Auth: (11635) Login OK: [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344 via TLS tunnel)
Fri Jan 14 09:54:31 2022 : Auth: (11636) Login OK: [org\larrys] (from client 172.20.100.100 port 0 cli 9cb6d0113344)

 

Example 4: Unable to find ip X.X.X.X in cache. Searching database

 

yams INFO :: 2022-04-05 12:27:00:035 :: ManagedElementServer.getDeviceByIP() unable to find ip 192.168.10.1 in cache. Searching database.

 

Cause: Source-IP and Nas-IP of the configured Radius client (fortigate) not matching the device IP in the Elements tab in FortiNAC model configuration. This results in authentication failure. This log refers to the IP of the Radius client (device) which will forward the authentication requests to FNAC.

 

Solution: Configure the Source-IP and Nas-IP in Radius Client to match the IP configured in the Elements tab in FortiNAC model configuration.

 

FortiGate configuration:

 

# config user radius

    edit FortiNAC
      set server "192.168.200.7"
      set nas-ip 192.168.10.1
      set radius-coa enable
      set source-ip "192.168.10.1"

   end

 

FortiNAC GUI:

 

Sx11_0-1661422471414.png

 

Other related documentation:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/414c78e4-32f9-11eb-96b9-005056...

 

Contributors