FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 191439

Description


This article describes how to troubleshoot clients not connecting to a network managed by NAC using RADIUS.

 

Scope

 

FortiNAC.

Solution

 

  1. Verify Model Configuration for the switch/Controller/Access Point:
  • SSH/Telnet credentials.
  • VLAN Assignments.

 

  1. RADIUS Secret must match exactly among the following components (no spaces before or after the secret):
  • Model Configuration for the Controller/Access Point in question.  Secrets defined in the SSID Configuration will override the secret defined in the Controller/Access Point model for that specific SSID.
  • switch/Controller/Access Point itself.  Check at the SSID level for secrets as well.
  • RADIUS Server (802.1x authentication).
  • RADIUS Server model in FortiNAC under System -> Settings -> RADIUS  (802.1x authentication).

 

  1. Radius Server Model  (802.1x authentication only)
    System > Settings > RADIUS
  • The Username and Password defined in the RADIUS Server model in FortiNAC matches the account created in the RADIUS Server itself.
  • The Authentication Port is set for 1812 on both the RADIUS Server model in FortiNAC Sentry and the RADIUS Server.

 

  1. Confirm FortiNAC is receiving RADIUS Access Requests from the switch/Controller/Access Point, and is responding with either an Accept or Reject.  This can be done via tcpdump:

 

tcpdump -nni any port <RADIUS Authentication Port> and host <Controller/AP IP address>

 
Or
Enable RadiusManager debug and review the output.master log in NAC Server/Control Server.
 

Note:

On FortiNAC-OS run the following command:

 

execute tcpdump -i any port <RADIUS Authentication Port> and host <Controller/AP IP address>

 

Related article:

Technical Tip: Run tcpdump in FortiNAC-F and save capture as a file. 

 

  • In Control Server CLI, type:

 

nacdebug -name RadiusManager true
cd /bsc/campusMgr/master_loader/
tail -F output.master | egrep -i "xx:xx:xx:xx:xx:xx|xxxxxxxxxxxx|xx-xx-xx-xx-xx-xx"

 

Example:
 
tail -F output.master | egrep -i " DC:71:96:11:99:19|DC7196119919|DC-71-96-11-99-19"
 

If using the FortiNAC as the RADIUS termination point, also turn on this debug in addition:

 

nacdebug -name RadiusAccess true

 

Look at /var/log/radius/radius.log for more local RADIUS debugging.  Be sure to go to the Local RADIUS configuration and turn on Debug&Troubleshooting and FortiNAC Server log Debug to "Enable" for FortiNAC version 9.x and up.

 
  • Have client attempt to connect.
  • Type Ctrl-C to stop tail.
  • Disable debug, on command line type:

 

nacdebug -name RadiusManager false

nacdebug -name RadiusAccess false
 
  • Check what debug options are still enabled:

nacdebug -all | grep -i true

 

Or

 

nacdebug -all | grep -i true

  

FortiNAC-OS (log in as admin) and enter into the shell to execute all the above commands:

 

$ execute enter-shell
# nacdebug -name RadiusManager true

# nacdebug -name RadiusAccess true



Control Server Not Receiving RADIUS Requests:
  • Verify switch/controller/AccessPoint is configured correctly and sending the requests. If the device is not sending requests, contact the vendor for further assistance.  It may be helpful to provide the following, capturing the behavior:
  • Packet capture taken from FortiNAC CLI of the RADIUS transaction.  The following command will write to a cap file (viewable using applications such as Wireshark):

 

tcpdump -s 0 -w <filename>.cap -i any '(port 1812)'

 

  • Logs from the Controller covering the same timeframe the packet capture was taken.
  • Verify firewall rules to ensure port 1812 is not being blocked
 
Control Server Not Responding:
  • 802.1x AuthenticationConfirm RADIUS Access Requests are reaching the RADIUS server, and whether or not the server is responding.  This can be verified by taking a packet capture on both NAC Server/Control Server and RADIUS Server sides:
    tcpdump -nni any host <RADIUS Server IP address>
  • RADIUS server is not responding: refer to related KB article below.
  • RADIUS server is sending Access Accepts: review output.master logs and consult with Support.
  • Mac Authentication: review output.master logs and consult with Support.
 
Control Server Responding with Access Accept:
A value in the packet sent by FortiNAC is not accepted by the Controller or Access Point.  A common cause is the secret not matching.  Verify the secret matches between all of the following:
  • Controller or Access Point
  • FortiNAC Model Configuration and SSID Configuration 
  • RADIUS Server (if using 802.1x Authentication)
If the behavior persists, contact vendor for further assistance to determine why the Controller is not processing the response as expected.  Provide the following capturing the behavior:
  • Packet capture taken from FortiNAC CLI of the RADIUS transaction.  The following command will write to a cap file (viewable using applications such as Wireshark):

 

tcpdump -s 0 -w <filename>.cap -i any '(port 1812)'

 

  • Logs from the Controller covering the same timeframe the packet capture was taken
Cisco WLC debugs can be viewed in the controller's CLI using the following commands
 
Note:
syntax may change based on firmware version.  Refer to Cisco documentation if the following commands do not work
 
debug aaa all enable
 
(Messaging will start to scroll on the screen)
 
To stop:

debug aaa all disable
 
  • The Controller or Access Point is not operating properly: contact appropriate vendor for further troubleshooting.

 

Control Server Responding with Access Reject:
  • 802.1x Authentication:
  • RADIUS server sending Access Reject: review the RADIUS server logs to determine cause.
  • RADIUS server sending Access Accept:
    • In Topology, under the Network Access section of the SSID Configuration or Model Configuration, check to see if Access Enforcement is set to Deny for the applicable Host State.  
    • Review output.master logs and consult with Support.
  • MAC Authentication:
  • In Topology, under the Network Access section of the SSID Configuration or Model Configuration, check to see if Access Enforcement is set to Deny for the applicable Host State.  
  • Review output.master logs and consult with Support.

 

Related Articles:

Technical Note: 802.1x connectivity issues due to no RADIUS server response

Technical Note: Troubleshooting wireless clients moved to the wrong VLAN