Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tobisfr
New Contributor III

Created on ‎05-13-2025 12:07 AM

FortiAuthenticator - MAC based Radius "invalid User" before successfull Login

Hi,

 

we just implementing FortiAuthenticator Version 6.6.3 as radius server together with our HP Aruba / Procurve Switches. I configured MAC-Based Authentication on the switches:

 

aaa authentication mac-based chap-radius server-group "FAC"

aaa port-access mac-based 2-19

 

On FortiAuthenticator Site I

- created the devices under User Management --> MAC Devices

- registered the switch as radius client und created a Mac Authentication ByPass Policy

 

The authentication works by I always have an error before the successfull authentication. If the Client is connected:

 2025-05-13T09:00:14.065119+02:00 facauth: Updated auth log '606d3ca7ee62' for attempt from 10.10.1.116: user authentication error: invalid user

2025-05-13T09:00:14.068143+02:00 facauth: Updated auth log 'B20195042' for attempt from 10.10.1.116: MAC-based authentication successful

 

Am I doing anything wrong in the config.

 

 

2025-05-13T09:00:14.062802+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: facauth: recv Access-Request from 10.10.1.116 port 1812, id=39, length=367 
2025-05-13T09:00:14.062807+02:00 FortiAuthenticator-BA radiusd[1488]:         Framed-MTU = 1492 
2025-05-13T09:00:14.062857+02:00 FortiAuthenticator-BA radiusd[1488]:         NAS-IP-Address = 10.10.1.116 
2025-05-13T09:00:14.062861+02:00 FortiAuthenticator-BA radiusd[1488]:         NAS-Identifier = "TEST-SWITCH" 
2025-05-13T09:00:14.062863+02:00 FortiAuthenticator-BA radiusd[1488]:         User-Name = "aabbcc" 
2025-05-13T09:00:14.062867+02:00 FortiAuthenticator-BA radiusd[1488]:         Service-Type = Call-Check 
2025-05-13T09:00:14.062869+02:00 FortiAuthenticator-BA radiusd[1488]:         Framed-Protocol = PPP 
2025-05-13T09:00:14.062872+02:00 FortiAuthenticator-BA radiusd[1488]:         NAS-Port = 5 
2025-05-13T09:00:14.062874+02:00 FortiAuthenticator-BA radiusd[1488]:         NAS-Port-Type = Ethernet 
2025-05-13T09:00:14.062877+02:00 FortiAuthenticator-BA radiusd[1488]:         NAS-Port-Id = "5" 
2025-05-13T09:00:14.062879+02:00 FortiAuthenticator-BA radiusd[1488]:         Called-Station-Id = "DD-EE-FF-88-46-fb" 
2025-05-13T09:00:14.062882+02:00 FortiAuthenticator-BA radiusd[1488]:         Calling-Station-Id = "AA-BB-CC-a7-ee-62" 
2025-05-13T09:00:14.062885+02:00 FortiAuthenticator-BA radiusd[1488]:         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" 
2025-05-13T09:00:14.062938+02:00 FortiAuthenticator-BA radiusd[1488]:         CHAP-Password = 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
2025-05-13T09:00:14.062943+02:00 FortiAuthenticator-BA radiusd[1488]:         Message-Authenticator = 0x36962cf3c173bfad7aaeaef322671545 
2025-05-13T09:00:14.062946+02:00 FortiAuthenticator-BA radiusd[1488]:         MS-RAS-Vendor = 11 
2025-05-13T09:00:14.062948+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b28 
2025-05-13T09:00:14.062951+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b2e 
2025-05-13T09:00:14.062953+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b30 
2025-05-13T09:00:14.062955+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b3d 
2025-05-13T09:00:14.062957+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b18 
2025-05-13T09:00:14.062960+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b19 
2025-05-13T09:00:14.062962+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x011a0000000b1b 
2025-05-13T09:00:14.062964+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x0138 
2025-05-13T09:00:14.063011+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x013a 
2025-05-13T09:00:14.063015+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x0140 
2025-05-13T09:00:14.063018+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x0141 
2025-05-13T09:00:14.063020+02:00 FortiAuthenticator-BA radiusd[1488]:         HP-Capability-Advert = 0x0151 
2025-05-13T09:00:14.063024+02:00 FortiAuthenticator-BA radiusd[1488]:         Event-Timestamp = "May 13 2025 09:00:14 CEST" 
2025-05-13T09:00:14.063026+02:00 FortiAuthenticator-BA radiusd[1488]:         CHAP-Challenge = 0x8586df7105c2d596ce8760cee8b50ab5 
2025-05-13T09:00:14.063029+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: ===>NAS IP:10.10.1.116 
2025-05-13T09:00:14.063037+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: ===>Username:aabbcc 
2025-05-13T09:00:14.063042+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: ===>Timestamp:1747119614.61868, age:1ms 
2025-05-13T09:00:14.063045+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: old_authtype: chap (10870718) 

2025-05-13T09:00:14.063594+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Comparing client IP 10.10.1.116 with authclient BA-TEST (10.10.1.116, 1 IPs) 
2025-05-13T09:00:14.063597+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: ------> matched! 

2025-05-13T09:00:14.063706+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Found authclient from preloaded authclients list for 10.10.1.116: BA-TEST (10.10.1.116) 
2025-05-13T09:00:14.063711+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: authclient_id:1 auth_type:'mab' 
2025-05-13T09:00:14.064647+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Found authpolicy 'Switch-MAC-bypass' for client '10.10.1.116' 
2025-05-13T09:00:14.065066+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Setting 'Auth-Type := CSID'
2025-05-13T09:00:14.065119+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Updated auth log 'aabbcc' for attempt from 10.10.1.116: user authentication error: invalid user 
2025-05-13T09:00:14.065125+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)     [facauth] = updated
2025-05-13T09:00:14.065132+02:00 FortiAuthenticator-BA radiusd[1488]: Not doing PAP as Auth-Type is already set.
2025-05-13T09:00:14.065136+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)     [pap] = noop
2025-05-13T09:00:14.065141+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)   } # authorize = updated
2025-05-13T09:00:14.065149+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) Found Auth-Type = CSID
2025-05-13T09:00:14.065161+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-05-13T09:00:14.065165+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)   Auth-Type CSID {
2025-05-13T09:00:14.066989+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Add Static Radius attribute: attr_id:65 (attr 65, vendor 0) attr_val:'6' 
2025-05-13T09:00:14.066995+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Add Static Radius attribute: attr_id:64 (attr 64, vendor 0) attr_val:'13' 
2025-05-13T09:00:14.066999+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Add Static Radius attribute: attr_id:81 (attr 81, vendor 0) attr_val:'199' 
2025-05-13T09:00:14.068085+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: MAC-based authentication OK
2025-05-13T09:00:14.068090+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Setting 'Post-Auth-Type := CSID'
2025-05-13T09:00:14.068143+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Updated auth log 'B20195042' for attempt from 10.10.1.116: MAC-based authentication successful 
2025-05-13T09:00:14.068152+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: facauth: print reply attributes of request id 39: 
2025-05-13T09:00:14.068157+02:00 FortiAuthenticator-BA radiusd[1488]:         Message-Authenticator := 0x00 
2025-05-13T09:00:14.068162+02:00 FortiAuthenticator-BA radiusd[1488]:         Tunnel-Medium-Type += IEEE-802 
2025-05-13T09:00:14.068168+02:00 FortiAuthenticator-BA radiusd[1488]:         Tunnel-Type += VLAN 
2025-05-13T09:00:14.068171+02:00 FortiAuthenticator-BA radiusd[1488]:         Tunnel-Private-Group-Id += "199" 
2025-05-13T09:00:14.068175+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)     [facauth] = ok
2025-05-13T09:00:14.068178+02:00 FortiAuthenticator-BA radiusd[1488]: (4767)   } # Auth-Type CSID = ok
2025-05-13T09:00:14.068761+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) Using Post-Auth-Type CSID

 

 

641
0 Kudos
6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Created on ‎05-15-2025 09:21 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
601
Anthony_E
Community Manager
Community Manager

Created on ‎05-18-2025 11:45 PM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
568
tbarua
Staff
Staff

Created on ‎05-19-2025 02:30 AM

Hi, 

 

As per the provided logs , User aabbcc is marked as invalid user. Can you confirm is it a valid user? 

 

2025-05-13T09:00:14.065119+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Updated auth log 'aabbcc' for attempt from 10.10.1.116: user authentication error: invalid user

 

Successful log: 

2025-05-13T09:00:14.068143+02:00 FortiAuthenticator-BA radiusd[1488]: (4767) facauth: Updated auth log 'B20195042' for attempt from 10.10.1.116: MAC-based authentication successful

 

In successful logs user B20195042' got authenticated successfully by MAC-based authentication successful which seems valid user. 

 

Kind regard,

Tuli
551
tobisfr
New Contributor III

Created on ‎05-19-2025 04:03 AM

 

Sorry, I modified the MAC address in the logs because I didn't want to publish it.
aabbcc is the Mac address of the mentioned client  B20195042. 

It only exists under User Management -> MAC Devices.

 

534
0 Kudos
julien_henry
New Contributor

Created on ‎07-02-2025 04:05 AM

Hello,

It looks more like a bug because this behavior appeared for us after the 6.6.2->6.6.3 update for our customers. Everything continues to work well as before. However, the logs are polluted and exceptions had to be made on the SIEM side.

Regards,
Julien

271
shikhakolekar
Staff
Staff

Created on ‎07-23-2025 03:55 AM

Hello, 

 

This is related to  a known issue 1168347, which is targeted to be fixed in 6.6.5. The authentication is always successful, but log would show a failed result and then a success one, it is only a behavioral change when we look at the log, has no impact on authentication. 

 

If you have found a solution, please like and accept it to make it easily accessible to others.


Thanks

146
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.