Technical Tip: FortiSwitch troubleshooting using 802.1X and Radius server

ehamud · ‎06-25-2024

Description

This article describes how to validate the flow packet information between a station connected to ethernet ports and the Radius server.

Scope

FortiSwitch v7.x.x onwards.

Solution

This article checks this topology:

FortiGate --------------> FortiSwitch --------------> FortiAuthenticator as Radius server.

There are some situations where users connected directly to FortiSwitch ethernet ports are not authenticated using their own 802.1X profile, and is good to know if it is possible to send and receive the packet flow.

In this example there is a FortiAuthenticator Radius server that is inside the MAC addr database, the FortiSwitch is using an 802.1X profile which will be used to assign the Client to the correct VLAN.

2024-06-21 12:16:23 fnbamd_auth.c[292] fnbamd_create_radius_socket-Opened radius socket 11
2024-06-21 12:16:23 fnbamd_auth.c[292] fnbamd_create_radius_socket-Opened radius socket 12
2024-06-21 12:16:23 fnbamd_radius.c[1326] fnbamd_radius_auth_init-svr_idx=0 ctx=0x2400b04, user=b4-99-ba-58-2f-ef, cred=0x243d26d, cred_len=17
2024-06-21 12:16:23 fnbamd_radius.c[1328] fnbamd_radius_auth_init-auth_prot=0, chap_challenge=(nil), chap_challenge_len=0

2024-06-21 12:16:23 fnbamd_radius.c[1769] fnbamd_radius_auth_send-Compose RADIUS request ------------From FortiSwitch

2024-06-21 12:16:23 fnbamd_radius.c[2072] fnbamd_radius_auth_send-Radius auth_send check DNS :10.10.70.90:
2024-06-21 12:16:23 fnbamd_radius.c[1717] fnbamd_rad_dns_cb-10.10.70.90->10.10.70.90
2024-06-21 12:16:23 fnbamd_radius.c[1613] __send_udp-sending radius udp IPv4 request: fd=11.
2024-06-21 12:16:23 fnbamd_radius.c[1656] __fnbamd_rad_send-Sent radius req to server 'FAC': fd=11, is_ipv6:0,

User using PAP authentication method sending code Access_Request:

IP=10.10.70.90(10.10.70.90:1812) code=ACCESS_REQUEST id=134 len=159 user="b4-99-ba-58-2f-ef" using PAP
2024-06-21 12:16:23 fnbamd_auth.c[1084] fnbamd_auth_start-Auth protocol start

Radius FortiAuthenticator validated is under its database, and replies with Access_Accept:

2024-06-21 12:16:23 fnbamd_fsm.c[214] create_auth_session-Registering auth timeout :7000:
2024-06-21 12:16:23 fnbamd_fsm.c[1976] handle_auth_rsp-handle_auth_rsp: from file descriptor:11:
2024-06-21 12:16:23 fnbamd_auth.c[2375] fnbamd_auth_handle_radius_result-Result for vlanId :0: vlanIdName:APs-Management:

2024-06-21 12:16:23 fnbamd_radius.c[2318] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_ACCEPT --------From FAC

2024-06-21 12:16:23 fnbamd_radius.c[2429] fnbamd_radius_auth_validate_pkt-Class attribute size:0:

2024-06-21 12:16:23 fnbamd_auth.c[2410] fnbamd_auth_handle_radius_result-->Result for radius svr 10.10.70.90(0) is FNBAM_SUCCESS

2024-06-21 12:16:23 fnbamd_auth.c[2430] fnbamd_auth_handle_radius_result-Passed group matching

2024-06-21 12:16:23 fnbamd_auth.c[2460] fnbamd_auth_handle_radius_result-Radius Resp Success ACCT_INTERIM:0:

2024-06-21 12:16:23 fnbamd_auth.c[2315] fnbamd_get_egr_vlan-Received from radius server ingress-filters: 1
2024-06-21 12:16:23 fnbamd_auth.c[2324] fnbamd_get_egr_vlan-egress-vlan:
2024-06-21 12:16:23 fnbamd_auth.c[2329] fnbamd_get_egr_vlan-egress-untagged:
2024-06-21 12:16:23 fnbamd_comm.c[213] fnbamd_comm_send_result-Sending result FNBAM_SUCCESS for req 115278211 len 0 class 0:0 filter 0:0
2024-06-21 12:16:23 FNBAM wrdapd_fnbam_read id:115278211 resp_res:?? session timeout:0 term_action:0: remote_server_timeout :0: remote_server_authfail:0:

802.1X profile inside the FortiSwitch which has the VLAN 70:

eap_sz:1536: class_sz:0 filter_avp:0 group_sz:0 :4412:1436:32:5496:6400
2024-06-21 12:16:23 fnbamd_auth.c[434] radius_stop-radius_stop for usergroup :FAC-MAB-8021X:, username :b4-99-ba-58-2f-ef:

2024-06-21 12:16:23 wrdapd_fnbam_read :: srv:FAC: type:0: radius_coa:0: response_acct_user:: sta_acct_user:b4-99-ba-58-2f-ef:
2024-06-21 12:16:23 wrdapd_fnbam_get_vlanId_byName vlan_id 70, prio 128 min_prio 128
2024-06-21 12:16:23 wrdapd_fnbam_read srv:FAC: type:0: vlan_id:70: assign_vlan:70: vlan_id_Name:APs-Management:
2024-06-21 12:16:23 wrdapd_fnbam_read interim interval resp:0: set:0:
2024-06-21 12:16:23 Radius Fortinet Groups ::
2024-06-21 12:16:23 MAB: b4:99:ba:58:2f:ef entering state SUCCESS
2024-06-21 12:16:23 WRDAPD: b4:99:ba:58:2f:ef MAB auth event:Success, timeout:0 passed:1

024-06-21 12:17:17 IEEE 802.1X: 00:09:0f:03:03:03 BE_AUTH entering state REQUEST
2024-06-21 12:17:17 FTNT_FSW: EAP packet sending with **vlanid=70** tag_mode:0: in header on port3:
2024-06-21 12:17:17 fnbamd_radius.c[2072] fnbamd_radius_auth_send-Radius auth_send check DNS :10.10.70.90:
2024-06-21 12:17:17 fnbamd_radius.c[1717] fnbamd_rad_dns_cb-10.10.70.90->10.10.70.90
2024-06-21 12:17:17 fnbamd_radius.c[1613] __send_udp-sending radius udp IPv4 request: fd=11.

2024-06-21 12:17:17 fnbamd_radius.c[1656] __fnbamd_rad_send-Sent radius req to server 'FAC': fd=11, is_ipv6:0, IP=10.10.70.90(10.10.70.90:1812) code=ACCESS_REQUEST id=135 len=159 user="04-d5-90-16-81-86" using PAP

2024-06-21 12:17:17 fnbamd_auth.c[1084] fnbamd_auth_start-Auth protocol start

2024-06-21 12:17:17 fnbamd_fsm.c[214] create_auth_session-Registering auth timeout :7000:
2024-06-21 12:17:18 fnbamd_fsm.c[1976] handle_auth_rsp-handle_auth_rsp: from file descriptor:11:
2024-06-21 12:17:18 fnbamd_auth.c[2375] fnbamd_auth_handle_radius_result-Result for vlanId :0: vlanIdName::

2024-06-21 12:17:18 fnbamd_radius.c[2318] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_ACCEPT

2024-06-21 12:17:18 fnbamd_radius.c[2429] fnbamd_radius_auth_validate_pkt-Class attribute size:0:

Sometimes getting an Access-Reject packet back can happen, which means that the denial is based on some system policies, insufficient privileges, or any other reason criteria, the Access-Reject is always coming from the Radius Server that should be investigated.

Technical Tip: FortiSwitch troubleshooting using 802.1X and Radius server

You are leaving our website