Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff

Created on ‎01-27-2022 08:06 AM Edited on ‎03-27-2025 01:27 AM By Moderator

Article Id 203818

Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI

Description This article describes how to troubleshoot FortiNAC local RADIUS when one has trouble authenticating supplicants using any RADIUS authentication mechanism.
Scope FortiNAC v9.2.X, v9.4.X, FortiNAC-F v7.2.X, v7.4.X, v7.6.X.
Solution
  1. From the FortiNAC CLI, enable the following debugs:


execute enter-shell   <----- For FortiNAC-F versions.
nacdebug -name PolicyHelper true
nacdebug -name RadiusAccess true
nacdebug -name RadiusManager true
nacdebug -name BridgeManager true
Device -ip <Switch-IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

  1. To check what debug options are enabled:

 

nacdebug -all | grep -i true

 

Or:

 

CampusMgrDebug -all | grep -i true

  1.  Under Network -> RADIUS -> Local Service, make sure if below options are enabled:
  • Debug & Troubleshooting.
  • Service Log Level -> High.
  • FortiNAC Server Log Debug.
  • Include Network Access Policy Debug.

 

  1. In another CLI session, run a packet capture before reproducing the issue: Technical Tip: Run tcpdump in FortiNAC-F and save capture as a file. Execute the command below for packet capturing and download the file using a WinSCP (valid for the FortiNAC branch only):

 

execute tcpdump -i any host <switch-ip> and port 3799 or port 1812 or port 1645 -w radius.pcap

  

Note:

In the FortiNAC-F version, WinSCP can no longer be used. The file can be easily exported to a TFTP server.

 

execute enter-shell
tftp -pr radius.pcap <tftp server IP>

 

  1. Once the issue is reproduced, grab the logs from FortiNAC. For further information about grab-log-snapshot, check: Technical Tip: How to get a debug log report from FortiNAC-CA or FortiNAC-Manager.
  2. After reproducing the issue, collect the logs and PCAP file, and attach them to a FortiCare ticket.
  3. Disable debug on FortiNAC (FortiNAC-F):

 

execute enter-shell   <----- FortiNAC-F version.
nacdebug -name PolicyHelper false
nacdebug -name RadiusAccess false
nacdebug -name RadiusManager false
nacdebug -name BridgeManager false
Device -ip < Switch-IPaddress > -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"


Check what debug options are still enabled:

 

nacdebug -all | grep -i true

 

Or:

 

CampusMgrDebug -all | grep -i true

 

Note:

During the RADIUS authentication phase, FortiNAC uses the 'Winbind' service to query the LDAP server to validate the user.

If that is successful, post-auth runs, and during this phase, FortiNAC looks up the user record, which will be an LDAP, if it does not exist locally. Then, when policy runs, groups can be used as part of the policy lookup.
During RADIUS authentication, it does not matter whether the group is synced with FortiNAC or not. Winbind will query the LDAP server.

Related documents:

Troubleshooting Tip: FortiNAC Local Radius Debug and Troubleshooting via GUI

Machine Authentication - FortiNAC-F documentation

Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

4440
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.