Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff

Created on ‎01-27-2022 08:06 AM Edited on ‎08-16-2024 01:14 AM By Community Manager

Article Id 203818

Troubleshooting Tip: Troubleshoot and Debug FortiNAC Local Radius via GUI and CLI

Description This article describes how to troubleshoot FortiNAC local RADIUS when one has trouble authenticating supplicants using any RADIUS authentication mechanism.
Scope FortiNAC v9.1 and above, people might not see all RADIUS debugging furthers available in previous versions from the GUI under Local Service.
Solution
  1. From the FortiNAC CLI enable the following debug:

    #nacdebug -name PolicyHelper true
    #nacdebug -name RadiusAccess true
    #nacdebug -name RadiusManager true
    #nacdebug -name BridgeManager true
    #Device -ip <Switch-IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

  2. To check what debug options are enabled

nacdebug -all | grep -i true

 

Or

 

CampusMgrDebug -all | grep -i true

  1.  Under Network >> RADIUS >> Local Service make sure you enable the below options:

 

  • Debug & Troubleshooting
  • Service Log Level ---> High
  • FortiNAC Server Log Debug
  • Include Network Access Policy Debug

 

Once the issue is reproduced, please grab the logs from FNAC CLI using the below command > grab-log-snapshot. For further information about grab-log-snapshot please check the following article:
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755

 

  1. In another session, collect the tcpdump logs while reproducing the issue:


>tcpdump -nnvvSXi any host <switch-ip> and port 3799 or 1812 or 1645 -w CoA_Capture.pcap

 

  1. After reproducing the issue, please collect the logs and pcap file and attach them to your FortiCare ticket.

 

  1. Disable debug on FortiNAC:


#nacdebug -name PolicyHelper false
#nacdebug -name RadiusAccess false
#nacdebug -name RadiusManager false
#nacdebug -name BridgeManager false
#Device -ip < Switch-IPaddress > -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"

Check what debug options are still enabled:


#nacdebug -all | grep -i true

 

Or


#CampusMgrDebug -all | grep -i true

Related article:

Troubleshooting Tip: FortiNAC Local Radius Debug and Troubleshooting via GUI
3833
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.