Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Fortiswitch RADIUS Authentication not arrives exte...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortiswitch RADIUS Authentication not arrives external RADIUS Server
Hello all,
I am currently setting up 802.x1 EAP-TLS authentication on an external cloud radius server on my FortiSwitch 448E-POE (Fortilink) and am experiencing a minor issue.
Basically, I wanted to do this via TLS TCP (RadSec).
I noticed that the FortiSwitches only send the packets as UDP. Presumably, the current FortiSwitch FW S448EP-v7.6.2-build1085,250526 (GA) does not support TLS over TCP, is that correct? In any case, there is no mention of “set transport-protocol tls” in the radius profile on the switch.
The FGT with FW v7.6.3 build3510 (feature) seems to support this; at least, I can see that the packets are sent as TCP and they also arrive on my RADIUS server.
In any case, I have now adjusted the RADIUS client so that it performs authentication via UDP on the RADIUS server. The query is also successful and arrives at the RADIUS server.
The problem is that when I try to authenticate on a port of the FortiSwitch, no packets arrive at the RADIUS server. In debug mode, I can see that packets are leaving switch 10.255.1.2, but nothing is arriving at the Radius server.
I have also created a firewall policy for testing: incoming interface fortilink_default / outgoing WAN / source all / destination all / service all
Regards
fabss
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
FortiSwitch
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I was able to resolve it.
The correct interface is not “_default.fortilink (_default)” but “fortilink”
This was not visible in the GUI, so I had to adjust the policy via CLI.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fabs,
on FortiGate try to see if the packets are received and what happens to them.
For one, run a packet capture on CLI and test.
diag sniffer packet any 'port 1812' 4 0 l
If you see the packets coming on some inbound interface, but not leaving, see what the firewall thinks on how to handle such packets:
diag debug flow filter port 1812
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 5
If the environment is busy with RADIUS requests, 5 might be a value too low; choose another if the screen fills up, without your test. This is only the amount of packets that are shown for policy evaluation, but it also shows routing decisions for the packets.
- Markus
Created on 08-06-2025 05:42 AM Edited on 08-06-2025 05:53 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Markus_M
This is the debug:
FGT01 # diag sniffer packet any 'port 1812' 4 0 l
interfaces=[any]
filters=[port 1812]
2025-08-06 14:29:31.274621 port2 in 10.255.1.2.49609 -> 209.xx.xxx.xxx.1812: udp 149
2025-08-06 14:29:31.274630 fortilink in 10.255.1.2.49609 -> 209.xx.xxx.xxx.1812: udp 149
2025-08-06 14:30:09.365959 port2 in 10.255.1.2.36722 -> 209.xx.xxx.xxx.1812: udp 149
2025-08-06 14:30:09.365966 fortilink in 10.255.1.2.36722 -> 209.xx.xxx.xxx.1812: udp 149
FGT01 # id=65308 trace_id=23 func=print_pkt_detail line=6138 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:40719->209.xx.xxx.xxx:1812) tun_id=0.0.0.0 from fortilink. "
id=65308 trace_id=23 func=init_ip_session_common line=6344 msg="allocate a new session-002558a0"
id=65308 trace_id=23 func=iprope_dnat_check line=5541 msg="in-[fortilink], out-[]"
id=65308 trace_id=23 func=iprope_dnat_tree_check line=836 msg="len=0"
id=65308 trace_id=23 func=iprope_dnat_check line=5566 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=23 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-81.xx.xx.xx via wan1"
id=65308 trace_id=23 func=__iprope_fwd_check line=828 msg="in-[fortilink], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=23 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=71, len=2"
id=65308 trace_id=23 func=__iprope_check_one_policy line=2166 msg="checked gnum-100004 policy-7, ret-no-match, act-accept"
id=65308 trace_id=23 func=__iprope_check_one_policy line=2166 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=23 func=__iprope_user_identity_check line=1929 msg="ret-matched"
id=65308 trace_id=23 func=__iprope_check_one_policy line=2402 msg="policy-0 is matched, act-drop"
id=65308 trace_id=23 func=__iprope_fwd_check line=865 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=23 func=iprope_fwd_auth_check line=894 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=23 func=iprope_shaping_check line=992 msg="in-[fortilink], out-[wan1], skb_flags-02000000, vid-0"
id=65308 trace_id=23 func=__iprope_check line=2432 msg="gnum-100015, check-ffffffbffc02cad0"
id=65308 trace_id=23 func=__iprope_check_one_policy line=2166 msg="checked gnum-100015 policy-1, ret-no-match, act-accept"
id=65308 trace_id=23 func=__iprope_check line=2449 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=23 func=iprope_policy_group_check line=4961 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=23 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)"Am I correct in assuming that the firewall policy is not matching and the connection is blocked?
If so, why? I selected “_default.fortilink (_default)” as the incoming interface.
Regards
fabs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again,
is it possible that I need to add an additional route to the radius server?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fabs,
quite so. See this line:
id=65308 trace_id=23 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-81.xx.xx.xx via wan1It seems that the traffic is routed towards the wan1, not where it probably is supposed to go. Is that the intended destination IP?
To check the route:
get router info routing details 209.xx.xxx.xx
Sample output from my lab:
FGT # get router info routing detail 192.168.38.38
Routing table for VRF=0
Routing entry for 192.168.38.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Markus_M
The traffic should go via WAN1 because the RADIUS Server is cloud based.
The get router looks ok:
FGT01 # get router info routing details 209.xx.xxx.xxx
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 81.xx.xx.xx, via wan1but what means
id=65308 trace_id=23 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also not able to ping the external RADIUS Server from the switches.
Telnet is also not working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Denied by forward policy check (policy 0)
There is no policy allowing the traffic. If this is really intended to go via wan1, see to use RADSEC or some method to have this traffic encrypted. RADIUS is plaintext mostly.
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Markus_M
We cannot use RADSEC (TLS TCP) since for my understanding the FortiSwitch 7.6.2 not support Radius TLS via TCP yet. Is this correct?
Further I do not understand why there is no policy which allows the traffic, since I created one policy for testing.
Incoming Interface: _default.fortilink (_default)
Outgoing Interface: WAN1
Source: all
Destination: all
Service: ALL
NAT: enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I was able to resolve it.
The correct interface is not “_default.fortilink (_default)” but “fortilink”
This was not visible in the GUI, so I had to adjust the policy via CLI.
Labels
-
FortiGate
10,546 -
FortiClient
2,144 -
FortiManager
889 -
5.2
687 -
FortiAnalyzer
677 -
5.4
638 -
FortiSwitch
582 -
FortiAP
559 -
FortiClient EMS
557 -
IPsec
417 -
6.0
416 -
SSL-VPN
374 -
FortiMail
371 -
5.6
362 -
FortiNAC
279 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
170 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
FortiGate-VM
129 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
Fortivoice
71 -
SAML
71 -
DNS
71 -
VLAN
70 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
45 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
API
25 -
SSID
25 -
Static route
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2570 | |
| 1364 | |
| 796 | |
| 651 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.