Troubleshooting Tip: Local Radius - No Shared Cipher Error

arivet-AMER-FNAC-TAC · ‎03-31-2024

Description

This article describes how to troubleshoot when hosts are getting Radius-Reject and the file radius.log contains the error 'ssl3_get_client_hello:no shared cipher'.

Scope

FortiNAC, FortiNAC-F.

Solution

This issue is because the host is not offering a cipher on the allowed list in the FortiNAC Radius TLS Configuration.

If supplicant configuration is unable to be retrieved from the connecting host a packet capture can provide the necessary details. Commands and examples of how and what to capture can be found here.

Open the PCAP on the computer with Wireshark.
Locate the Access-Request packet.
Expand the tree until finding the section 'Cipher Suites' under Radius Protocol -> Attribute Value Pairs -> EAP-Message -> Extensible Authentication Protocol -> Transport Layer Security -> Handshake Protocol: Client Hello -> Cipher Suites .

Compare the list from the PCAP to the available ciphers found in the Local Radius config on the FortiNAC GUI:

Log in to the Admin GUI with the credentials.
Enter the RADIUS config menu via Network -> Radius.
Select the appropriate config from the bottom of the screen and select the TLSDetails button.
The Ciphers list will appear along with a '+' button to add more ciphers.
Add at least one of the ciphers from the PCAP.

The HOST and the Local Radius server will now have a common cipher.

bhimgurung · ‎04-26-2024

Thank you