Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI

Hawada1 · ‎01-27-2022

Description

This article describes how to troubleshoot FNAC local RADIUS when one has trouble authenticating supplicants using any RADIUS authentication mechanism.

Scope

FNAC version 9.1 and above, people might not see all RADIUS debugging furthers available in previous versions from the GUI under Local Service.

Solution

From the FNAC CLI enable the following debug:

#nacdebug -name PolicyHelper true
#nacdebug -name RadiusAccess true
#nacdebug -name RadiusManager true
#nacdebug -name BridgeManager true
#Device -ip <Switch-IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"
To check what debug options are enabled

nacdebug -all | grep -i true

or

CampusMgrDebug -all | grep -i true

Under Network >> RADIUS >> Local Service make sure you enable the below options:
- Debug & Troubleshooting
- Service Log Level ---> High
- FortiNAC Server Log Debug
- Include Network Access Policy Debug

Once the issue is reproduced please grab the logs from FNAC CLI using the below command > grab-log-snapshot. For further information about grab-log-snapshot please check the following article:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755

In another session collect the tcpdump logs while reproducing the issue:
>tcpdump -nnvvSXi any host <switch-ip> and port 3799 or 1812 or 1645 -w CoA_Capture.pcap

After reproducing the issue, please collect the logs and pcap file and attach them to your FortiCare ticket.

Disable debug on FNAC:
#nacdebug -name PolicyHelper false
#nacdebug -name RadiusAccess false
#nacdebug -name RadiusManager false
#nacdebug -name BridgeManager false
# Device -ip < Switch-IPaddress > -setAttr -name DEBUG -value ""

Useful article:
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-FortiNAC-Local-Radius-Debug-amp/ta-p/...