Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FortiAuthenticator issue with 802.1x after upgrade...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator issue with 802.1x after upgrade to 6.5.6
some clients cant get auth.
2024-12-16T09:18:21.114057+01:00 FortiAuthenticator radiusd[12310]: Waking up in 28.7 seconds.
2024-12-16T09:18:23.758246+01:00 FortiAuthenticator radiusd[12310]: Waking up in 0.3 seconds.
2024-12-16T09:18:23.758261+01:00 FortiAuthenticator radiusd[12310]: (6) Received Access-Request Id 89 from 172.16.1.249:38059 to 172.16.1.250:1812 length 120
2024-12-16T09:18:23.758268+01:00 FortiAuthenticator radiusd[12310]: (6) User-Name = "host/war-l-glub"
2024-12-16T09:18:23.758272+01:00 FortiAuthenticator radiusd[12310]: (6) EAP-Message = 0x020700060d00
2024-12-16T09:18:23.758275+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-IP-Address = 172.16.1.249
2024-12-16T09:18:23.758280+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Port = 5
2024-12-16T09:18:23.758284+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Identifier = "3460F9DAC3EE"
2024-12-16T09:18:23.758288+01:00 FortiAuthenticator radiusd[12310]: (6) Service-Type = Framed-User
2024-12-16T09:18:23.758291+01:00 FortiAuthenticator radiusd[12310]: (6) Calling-Station-Id = "50-EB-F6-8E-80-C5"
2024-12-16T09:18:23.758295+01:00 FortiAuthenticator radiusd[12310]: (6) NAS-Port-Type = Ethernet
2024-12-16T09:18:23.758299+01:00 FortiAuthenticator radiusd[12310]: (6) Message-Authenticator = 0x814953e97fa2361572c6ce73757538ef
2024-12-16T09:18:23.758304+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.758335+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>NAS IP:172.16.1.249
2024-12-16T09:18:23.758344+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>Username:host/war-l-glub
2024-12-16T09:18:23.758354+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: ===>Timestamp:1734337103.758192, age:0ms
2024-12-16T09:18:23.758371+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Found authclient from preloaded authclients list for 172.16.1.249: 172.16.1.249 (172.16.1.249)
2024-12-16T09:18:23.758919+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Found authpolicy 'switche-certyfikaty' for client '172.16.1.249'
2024-12-16T09:18:23.758932+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Client type: external (subtype: radius)
2024-12-16T09:18:23.758937+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Input raw_username: host/war-l-glub Realm: (null) username: host/war-l-glub
2024-12-16T09:18:23.758940+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Searching default realm as well
2024-12-16T09:18:23.758945+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Realm not specified, default goes to FAC local user
2024-12-16T09:18:23.759457+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Local user found: host/war-l-glub
2024-12-16T09:18:23.759463+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-12-16T09:18:23.759468+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-12-16T09:18:23.759472+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-12-16T09:18:23.759490+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.759498+01:00 FortiAuthenticator radiusd[12310]: (6) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
2024-12-16T09:18:23.759504+01:00 FortiAuthenticator radiusd[12310]: (6) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
2024-12-16T09:18:23.759508+01:00 FortiAuthenticator radiusd[12310]: (6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
2024-12-16T09:18:23.759517+01:00 FortiAuthenticator radiusd[12310]: (6) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-12-16T09:18:23.759546+01:00 FortiAuthenticator radiusd[12310]: (6) facauth: Updated auth log 'host/war-l-glub' for attempt from 172.16.1.249: 802.1x authentication failed
2024-12-16T09:18:24.094033+01:00 FortiAuthenticator radiusd[12310]: Waking up in 0.6 seconds.
2024-12-16T09:18:24.762025+01:00 FortiAuthenticator radiusd[12310]: (6) Sent Access-Reject Id 89 from 172.16.1.250:1812 to 172.16.1.249:38059 length 20
2024-12-16T09:18:24.762064+01:00 FortiAuthenticator radiusd[12310]: Waking up in 25.0 seconds
OR:
ap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
2024-12-16T09:42:02.095167+01:00 FortiAuthenticator radiusd[15329]: (0) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
2024-12-16T09:42:02.095175+01:00 FortiAuthenticator radiusd[15329]: (0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Did some packet capture but cant find an issue here ;/
https://drive.google.com/file/d/1ov9ZymTzyuRHTobLdA9EAzEXqiK5-6Dv/view?usp=share_link
Labels:
- Labels:
-
FortiAuthenticator
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably it is due the RADIUS vulnerability that was fixed in FAC 6.5.6.
https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability
Hope it helps.
AEK
AEK
Created on 12-18-2024 01:18 PM Edited on 12-18-2024 03:17 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx for reply, but in this case FAC is being used only with endpoints. FGT doesnt have configured any Radius - there is no RADIUS in policies(yet). So i dont think that it might be an issue. in Fact we already upgrade to 6.5.6 from 6.4.5
I wonder about packet fragmentation in FAC. packet capture shows that fragmentation is occur. FAC and Switch is on the same subnet.
Wireshark: [BoundError Unreassembled Packet: RADIUS]"
001. .... = Flags: 0x1, More fragments
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
@AEK wrote:Probably it is due the RADIUS vulnerability that was fixed in FAC 6.5.6.
https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability
Hope it helps.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably the error message is related to the issue.
All I can suggest is to check MTU is the same along the path (switch, AP if used, clients, FAC, VMware, ...).
Hope some more experienced community members can help further, like @Toshi_Esumi & @ebilcari
AEK
AEK
Created on 12-20-2024 12:00 PM Edited on 12-20-2024 12:00 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As an "experienced" user, I would call in TAC immediately to get it troubleshot if you haven't reverted back to previous version. We don't do any 802.1x auth with FAC.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It looks the Radius process was hanging in the FortiAuthenticator and seems related to a bug in this version. We can try to reboot the FortiAuthenticator and see if issue is resolved or upgrade to 6.6.2.
Regards,
George
Labels
-
FortiGate
9,443 -
FortiClient
1,918 -
5.2
801 -
FortiManager
799 -
5.4
639 -
FortiAnalyzer
617 -
FortiSwitch
515 -
FortiAP
507 -
FortiClient EMS
474 -
6.0
416 -
5.6
362 -
FortiMail
340 -
SSL-VPN
305 -
IPsec
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiNAC
226 -
FortiWeb
226 -
5.0
196 -
FortiGuard
151 -
SD-WAN
145 -
FortiAuthenticator
135 -
6.4
128 -
Firewall policy
108 -
FortiGateCloud
105 -
FortiSIEM
103 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
ZTNA
60 -
Routing
59 -
FortiADC
57 -
VLAN
57 -
DNS
55 -
BGP
54 -
FortiGate-VM
53 -
SAML
50 -
Authentication
50 -
RADIUS
49 -
FortiSandbox
48 -
LDAP
48 -
NAT
47 -
FortiExtender
46 -
Certificate
46 -
FortiDNS
43 -
SSO
43 -
FortiGate v5.4
35 -
VDOM
35 -
FortiLink
35 -
FortiSwitch v6.4
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
32 -
FortiWAN
30 -
Virtual IP
29 -
Web profile
29 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
26 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Automation
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Web rating
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Users
9 -
Traffic shaping profile
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2087 | |
| 1182 | |
| 770 | |
| 451 | |
| 344 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.