Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebujedo
Staff
Staff

Created on ‎07-13-2021 06:31 AM Edited on ‎03-08-2022 02:37 PM By Anonymous

Article Id 195965

Troubleshooting Tip: Local Radius server logs

Description
This article describes how to check the connection between the Radius clients and the local Radius server.

Scope
FortiNAC


Solution
Login as root on the CLI and type:

>tf /var/log/radius/radius.log

Example of successful client connection:

Controller IP: 172.29.30.75
Client MAC: CC:2D:B7:57:6A:A0

Thu Mar 25 13:30:54 2021 : Auth: (2499895) Login OK: [bosit] (from client 172.29.30.75 port 13 cli cc-2d-b7-57-6a-a0 via TLS tunnel)
Thu Mar 25 13:30:54 2021 : Auth: (2499896) Login OK: [bosit] (from client 172.29.30.75 port 13 cli cc-2d-b7-57-6a-a0)

Example of failed client connection due to expired user account password in authentication server:

Client MAC: xxxxxxxxxxxx

 

Fri Jan 14 09:43:46 2022 : Auth: (11577) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account password has expired. (0xc0000071)'): [org\larrys] (from client 172.20.100.100 port 0 cli xxxxxxxxxxxx via TLS tunnel)
Fri Jan 14 09:43:46 2022 : Auth: (11578) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [org\larrys] (from client 172.20.100.100 port 0 cli xxxxxxxxxxxx)


Example of failed client connection due to locked user account in the authentication server:

 

Client MAC: xxxxxxxxxxxx

 

Fri Jan 14 09:53:22 2022 : Auth: (11602) Login incorrect (mschap-DefaultConfig: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'): [org\larrys] (from client 172.20.100.100 port 0 cli xxxxxxxxxxxx via TLS tunnel)
Fri Jan 14 09:53:22 2022 : Auth: (11603) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [org\larrys] (from client 172.20.100.100 port 0 cli xxxxxxxxxxxx)

 

 

 

It is also possible to see more information if the RadiusAccess debug is enabled.

>nacdebug –name RadiusAccess true

This information is stored in:

/bsc/logs/output.master

Example of successful VLAN assignment of wireless client:

Controller IP: 172.29.30.75
Client MAC: CC:2D:B7:57:6A:A0
VLAN: 254 yams INFO :: 2021-03-25 13:30:54:453 :: p: default-threadpool; w: Idle checkDebug checking value RadiusManager for element 172.29.30.75 yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:453 :: okToProcess: Checking SSID [UseLocalConfig=true/ssidStandaloneConfig=false] yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:453 :: okToProcess: SSID Mode = Local
yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:456 :: Using Access Configuration: accessValue = accessValue isolation; LogicalNetwork Name = Restrict Mobile Devices
yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:456 :: redirectSource = CurrentVlanID, redirectDest = PortID yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:456 :: new policy is : 254
yams.RadiusAccess.RadiusAccessEngine.CC:2D:B7:57:6A:A0 FINE :: 2021-03-25 13:30:54:456 :: updating client attributes with access value 254

Related document.
https://docs.fortinet.com/document/fortinac/9.1.0/local-radius-server

Labels:
2313
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.