Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

FortiGate and Fortiap with Radius authentication

Hi guys.

A customer  asked for FortiGate WIFI with Radius authentication.

I tried to do it on a lab first.

I have windows server 2016 with a ad domain and radius server with Certificate issued.

Also I have Fortigate 40F and Fortiap 220B ( I know its old but this is what i currently have)

I have configured WPA2  Enterprise with radius server and created a group that belongs to the radius server and everything looks fine.

When i login to the wifi i put my credentials and its taking its time on checking network environment.

Eventually I'm able to login.. I'm getting apipa address and when I check the Fortigate wifi clients i see that the user is logged in and was assigned an IP.

Can you guys help ? I dont know what am i doing wrong :\


It looks like there is some issue with the DHCP server configured for this VPN . Doble check the configuration and DHCP scope

On the FortiGate what IP do you see for this user? Same APIPA?
You can also run packet capture to see if the DHCP negotiation process. 

If you have found a solution, please like and accept it to make it easily accessible for others.
Contributor III

A couple of questions to help narrow it down:

Are you using a bridge or tunnel SSID?

- If bridged did you assign a default vlan?

- If Tunneled do you have the DHCP server enabled on that ssid interface?

Are you trying to send back any vlans in the radius response or just an access-accept?

New Contributor II

Hi its on the same scope and in the DHCP  I see  the domain and the user and a legitimate IP for exmaple

I tried to see dhcp negotiation by running this commands


diag debug reset
diag debug application dhcpc -1
diag debug enable

and it didn't show any results..


I  used tunnel with DHCP server enabled

And i think its just access accept.. if the user is in a group "WIFI" so it can get access to the internet



You can run a packet capture and filter with port 67/68 :
diag sniffer packet <interface_name/any> "port 67 or port 68" 6 0 1

If you have found a solution, please like and accept it to make it easily accessible for others.

if you are using fortigate wireless-controller as the dhcp server, these debugs should be run instead. dhcps is for fortigate as dhcp server. dhcpc is for fortigate as dhcp client.

# diag deb app dhcps -1

# diag deb enable


your issue seems to be that authentication is successful but dhcp ip assignment is failing. in wlan, authentication is done first before dhcp ip is obtained

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
New Contributor II

@dbu  @jiahoong112 

I ran the commands but it doesn't show anything

I see in the DHCP that the mac address got an IP with username and password





Can you try to assign an IP address manually as per the IP pool it should belong to and try again if it works? 

If you have found a solution, please like and accept it to make it easily accessible for others.
Contributor III

if you look at the scope are there any DHCP options that are set?  

config system dhcp server


I would also run a wireshark capture on the client and see if you get the DHCP OFFER to the client.  



Release the IP for the end device and then run the packet sniffer for DHCP:
diag sniffer packet any "port 67 or port 68" 4 0 l


Also run wireshark on end device at the same time


Check if the DORA process completes on both sides. 

When Fortigates sends offer, it will put the IP in DHCP lease even if DORA has not completed. So in that case you would see IP Assigned on fortigate but no IP on end device.  


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors