Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fabs
New Contributor III

Created on ‎10-21-2024 05:12 AM Edited on ‎10-21-2024 05:15 AM

FortiOS 7.6.0 Build3401 - RadSec TLS 1.3 not possible

Hello all,

I have a problem, probably in connection with my Fortigate100F to establish a RadSec TLS 1.3 connection from a UniFi AC Pro AP to an external RadSec Server (RADIUS). The connection is made via a Ubiquiti UniFi AC Pro AP and Ubiquiti UniFi Application 8.5.6 and RadSec is official supported.
The connection via RADIUS works, but as soon as I activate TLS for this connection with the required certificates (root, client, private key), no connection is established.

In the log files I do not actually see that the connection is blocked. The only thing I see is action=“close” - What does this mean?
When I add the external IP in my exclusion list from my SSL Deep Inspection, I can't connect either.
Even if I temporarily deactivate IPS, SSL and App Control, I cannot establish a connection.
I can establish a telnet connection to the RadSec server from the Fortigate and from the UniFi AC Pro AP. However, this is terminated immediately

 

 

date=2024-10-21 time=13:42:13 eventtime=1729510933581869890 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.237 srcport=58594 srcintf="VLAN10" srcintfrole="lan" dstip=206.xxx.xxx.xxx dstport=2083 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstinetsvc="DigitalOcean-DigitalOcean.Platform" dstcountry="Netherlands" dstregion="North Holland" dstcity="Amsterdam" dstreputation=4 sessionid=16267522 proto=6 action="close" policyid=2 policytype="policy" poluuid="b08ab9d0-cf8b-51ec-7409-582ae59457cf" policyname="VLAN10 -> WAN" service="DigitalOcean-DigitalOcean.Platform" trandisp="snat" transip=xx.xx.xx.xx transport=58594 appid=47013 app="SSL_TLSv1.3" appcat="Network.Service" apprisk="medium" applist="block-high-risk" appact="detected" duration=2 sentbyte=1015 rcvdbyte=4293 sentpkt=11 rcvdpkt=8 sslaction="exempt-addr" utmaction="allow" countapp=2 countssl=1 srchwvendor="Ubiquiti" mastersrcmac="d0:xx:xx:xx:xx:xx" srcmac="d0:xx:xx:xx:xx:xx" srcserver=0 utmref=16267522:1729510934

 

 

What else could cause a problem here?

Thanks
fabs

 

Labels:
665
0 Kudos
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎10-23-2024 09:39 PM

Hello Fabs,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
534
AEK
SuperUser
SuperUser

Created on ‎10-24-2024 01:46 AM

Hello Fabs

I'm not TLS specialist, but I still see some issues with TLS 1.3 in forums, "probably" due to its newly implementation one some devices.

Is there any reason you use 1.3? If not, you may try with 1.2 which is still very secure.

AEK
AEK
509
fabs
New Contributor III

Created on ‎10-24-2024 04:18 AM

Hello,

 

unfortunately I can't control that, as soon as I activate TLS settings in Ubiquiti UniFi, it will probably be sent in TLS 1.3.

485
0 Kudos
pminarik
Staff
Staff

Created on ‎10-24-2024 04:50 AM Edited on ‎10-24-2024 04:51 AM

"action=close" means the session was allowed, some traffic passed, and then the session was closed.

As you can see ("sentpkt=11 rcvdpkt=8 "), there were 11&8 packets sent in both directions.

Are you willing to share a pcap of that exchange to have a look at it in detail?

[ corrections always welcome ]
477
fabs
New Contributor III
In response to pminarik

Created on ‎10-24-2024 05:32 AM

Hi @pminarik 

Thank you for your reply. How can I share the pcap file here in the community, since there is no attachment function.

447
pminarik
Staff
Staff
In response to fabs

Created on ‎10-24-2024 05:40 AM

It should be there.
"Drag and drop here or browse files to attach" right below the text box.attachments.png

 

[ corrections always welcome ]
442
fabs
New Contributor III
In response to pminarik

Created on ‎10-24-2024 05:46 AM

hm this is weird, the drag and drop box is not visibleScreenshot 2024-10-24 144329.png

 
 

 

 

437
0 Kudos
pminarik
Staff
Staff
In response to fabs

Created on ‎10-24-2024 05:58 AM

Maybe there's different permission levels that I have not been aware of.

Anyway, you can try some third-party temporary file storage, or go through a support ticket (safer).

[ corrections always welcome ]
425
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.