This article describes how to troubleshoot a issue where FortiNAC fails to connect to a LDAP server using SSL protocol. A solution is offered.

Troubleshooting steps:

1) Enable debug in FortiNAC. Log in to the NAC CLI and type the following command:

# nacdebug -name DirectoryManager true

2) Tail the output.master log file

# tf /bsc/logs/output.master

3) In the FortiNAC GUI, validate credentials for the LDAP server failing to connect.

4) In the log output look for output similar to the following:

yams SEVERE :: 2023-03-02 17:36:36:993 :: #417 :: javax.naming.CommunicationException: x.x.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]]

<...>

yams SEVERE :: 2023-03-02 17:36:36:995 :: #417 :: Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

The output indicates that the SSL handshake cannot be completed as TLS 1.2 or 1.3 are both not supported by the LDAP server.

5) Disable debug:

# nacdebug -name DirectoryManager false

To fix the issue, enable TLS 1.2 or 1.3 on the LDAP server being integrated with FortiNAC.

Workaround: Disable SSL in the security protocol settings.