FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Description This article describes how to troubleshoot FNAC local RADIUS when one has  trouble authenticating supplicants using any RADIUS authentication mechanism.
Scope FNAC version 9.1 and above, people might not see all RADIUS debugging furthers available in previous versions from the GUI under Local Service.
Solution
  1. From the FNAC CLI enable the following debug:

    #nacdebug -name PolicyHelper true
    #nacdebug -name RadiusAccess true
    #nacdebug -name RadiusManager true
    #nacdebug -name BridgeManager true
    #Device -ip <Switch-IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

  2. To check what debug options are enabled
  • nacdebug -all | grep -i true

or

  • CampusMgrDebug -all | grep -i true

  1.  Under Network >> RADIUS >> Local Service make sure you enable the below options:
    - Debug & Troubleshooting
    - Service Log Level ---> High
    - FortiNAC Server Log Debug
    - Include Network Access Policy Debug

 

Once the issue is  reproduced please grab the logs from FNAC CLI using the below command > grab-log-snapshot. For further information about grab-log-snapshot please check the following article:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755

 

  1. In another session collect the tcpdump logs while reproducing the issue:
    >tcpdump -nnvvSXi any host <switch-ip> and port 3799 or 1812 or 1645 -w CoA_Capture.pcap

 

  1. After reproducing the issue, please collect the logs and pcap file and  attach them to your FortiCare ticket.

 

  1. Disable debug on FNAC:
    #nacdebug -name PolicyHelper false
    #nacdebug -name RadiusAccess false
    #nacdebug -name RadiusManager false
    #nacdebug -name BridgeManager false
    # Device -ip < Switch-IPaddress > -setAttr -name DEBUG -value ""

Useful article:
https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-FortiNAC-Local-Radius-Debug-amp/ta-p/...

 

Contributors