Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Issue with dot1x Configuration on FortiNAC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with dot1x Configuration on FortiNAC
Hello,
I am experiencing an issue with the dot1x configuration on FortiNAC.
I am using FortiNAC 700F, version 7.2.8.0149.
I have followed all the steps shown in this video:
https://www.youtube.com/watch?v=7pRg2-SVipo
The problem is that I don’t have the "EAP-Type-Name" option.
I still followed the entire video and applied the instructions, but when I connect a PC to the switch port where dot1x auto-registration is enabled, the PC shows "authentication failed."
On the FortiNAC side, I don’t see any activity logs.
Here is the switch configuration:
interface GigabitEthernet0/17
switchport access vlan 2
switchport mode access
switchport voice vlan 150
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 180
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 6
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
aaa nas port extended
!
radius-server host 172.16.180.104 auth-port 1645 acct-port 1646 key 7 encryptedpassword
radius-server vsa send authentication
I also tried configuring:
radius-server host 172.16.180.104 auth-port 1812 acct-port 1813 key
But it didn’t make any difference.
Thank you in advance for your help!
Best regards,
Solved! Go to Solution.
Labels:
- Labels:
-
FortiNAC
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The request is being sourced from 172.27.1.98. Is the switch added with this IP in FortiNAC? FortiNAC will ignore RADIUS requests when these are not coming from a Source IP it has in the inventory view.
Enable following debugs in FortiNAC:
diagnose debug plugin enable RadiusAccess
diagnose debug plugin enable RadiusManager
diagnose debug plugin enable BridgeManager
diagnose tail -F output.master
Then recreate again the issue. Ouptut.master logs should show how the request is being processed.
Additionally double check that "radius" and "radius-local" services are allowed on port1.
show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
end
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Furthermore, in the reference video mentioned in the first post, at minute 14:01, I see that the switch should send RADIUS information with attributes such as User-Name [1], Service-Type [6], cisco-nas-port [2], etc.
When I run show logging, I don’t see logs of this kind. Additionally, when I execute radius-server attribute, I only see the following available attributes:
11 Filter-Id attribute configuration
188 Num-In-Multilink attribute configuration
218 Address-Pool attribute
25 Class attribute
30 DNIS attribute
31 Calling Station ID
32 NAS-Identifier attribute
4 NAS IP address attribute
44 Acct-Session-Id attribute
55 Event-Timestamp attribute
6 Service-Type attribute
60 CHAP-Challenge attribute
61 NAS-Port-Type attribute configuration
66 Tunnel-Client-Endpoint attribute
67 Tunnel-Server-Endpoint attribute
69 Tunnel-Password attribute
77 Connect-Info attribute
8 Framed IP address attribute
95 NAS IPv6 address attribute
list List of Attribute Types
nas-port NAS-Port attribute configuration
nas-port-id Nas-Port-Id attribute configuration
I’m not sure if it’s relevant.
Created on 12-05-2024 05:32 AM Edited on 12-05-2024 05:32 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After further investigations (by enabling debug radius):
Dec 5 13:28:16.246: dot1x-ev:[Gi1/0/1] Interface state changed to UP
Dec 5 13:28:16.571: dot1x-packet:[d45d.646c.d656, Gi1/0/1] queuing an EAPOL pkt on Auth Q
Dec 5 13:28:16.571: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Dec 5 13:28:16.571: dot1x-packet: length: 0x0000
Dec 5 13:28:16.571: dot1x-ev:[Gi1/0/1] Dequeued pkt: Int Gi1/0/1 CODE= 0,TYPE= 0,LEN= 0
Dec 5 13:28:16.571: dot1x-ev:[Gi1/0/1] Received pkt saddr =d45d.646c.d656 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Dec 5 13:28:16.571: dot1x-ev:[Gi1/0/1] Couldn't find the supplicant in the list
Dec 5 13:28:16.571: dot1x-ev:[d45d.646c.d656, Gi1/0/1] New client detected, sending session start event for d45d.646c.d656
Dec 5 13:28:16.577: dot1x_auth Gi1/0/1: initial state auth_initialize has enter
Dec 5 13:28:16.577: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: initialising
Dec 5 13:28:16.577: dot1x_auth Gi1/0/1: during state auth_initialize, got event 0(cfg_auto)
Dec 5 13:28:16.577: @@@ dot1x_auth Gi1/0/1: auth_initialize -> auth_disconnected
Dec 5 13:28:16.578: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: disconnected
Dec 5 13:28:16.578: dot1x_auth Gi1/0/1: idle during state auth_disconnected
Dec 5 13:28:16.578: @@@ dot1x_auth Gi1/0/1: auth_disconnected -> auth_restart
Dec 5 13:28:16.578: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: entering restart
Dec 5 13:28:16.578: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Sending create new context event to EAP for 0x49000045 (d45d.646c.d656)
Dec 5 13:28:16.578: dot1x_auth_bend Gi1/0/1: initial state auth_bend_initialize has enter
Dec 5 13:28:16.578: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: entering init state
Dec 5 13:28:16.578: dot1x_auth_bend Gi1/0/1: initial state auth_bend_initialize has idle
Dec 5 13:28:16.578: dot1x_auth_bend Gi1/0/1: during state auth_bend_initialize, got event 16383(idle)
Dec 5 13:28:16.578: @@@ dot1x_auth_bend Gi1/0/1: auth_bend_initialize -> auth_bend_idle
Dec 5 13:28:16.578: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering idle state
Dec 5 13:28:16.578: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Created a client entry (0x49000045)
Dec 5 13:28:16.578: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Dot1x authentication started for 0x49000045 (d45d.646c.d656)
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting !EAP_RESTART on Client 0x49000045
Dec 5 13:28:16.579: dot1x_auth Gi1/0/1: during state auth_restart, got event 6(no_eapRestart)
Dec 5 13:28:16.579: @@@ dot1x_auth Gi1/0/1: auth_restart -> auth_connecting
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:enter connecting state
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: restart connecting
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting RX_REQ on Client 0x49000045
Dec 5 13:28:16.579: dot1x_auth Gi1/0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Dec 5 13:28:16.579: @@@ dot1x_auth Gi1/0/1: auth_connecting -> auth_authenticating
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045: authenticating state entered
Dec 5 13:28:16.579: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:connecting authenticating action
Dec 5 13:28:16.580: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting AUTH_START for 0x49000045
Dec 5 13:28:16.580: dot1x_auth_bend Gi1/0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
Dec 5 13:28:16.580: @@@ dot1x_auth_bend Gi1/0/1: auth_bend_idle -> auth_bend_request
Dec 5 13:28:16.580: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering request state
Dec 5 13:28:16.580: dot1x-ev:[Gi1/0/1] Sending EAPOL packet to group PAE address
Dec 5 13:28:16.580: dot1x-registry:registry:dot1x_ether_macaddr called
Dec 5 13:28:16.580: dot1x-ev:[Gi1/0/1] Sending out EAPOL packet
Dec 5 13:28:16.580: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Dec 5 13:28:16.580: dot1x-packet: length: 0x0005
Dec 5 13:28:16.580: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Dec 5 13:28:16.580: dot1x-packet: type: 0x1
Dec 5 13:28:16.580: dot1x-packet:[d45d.646c.d656, Gi1/0/1] EAPOL packet sent to client 0x49000045
Dec 5 13:28:16.580: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:idle request action
Dec 5 13:28:16.591: dot1x-packet:[d45d.646c.d656, Gi1/0/1] Queuing an EAPOL pkt on Authenticator Q
Dec 5 13:28:16.591: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Dec 5 13:28:16.591: dot1x-packet: length: 0x001E
Dec 5 13:28:16.592: dot1x-ev:[Gi1/0/1] Dequeued pkt: Int Gi1/0/1 CODE= 2,TYPE= 1,LEN= 30
Dec 5 13:28:16.592: dot1x-ev:[Gi1/0/1] Received pkt saddr =d45d.646c.d656 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001e
Dec 5 13:28:16.592: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Dec 5 13:28:16.592: dot1x-packet: length: 0x001E
Dec 5 13:28:16.592: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting EAPOL_EAP for 0x49000045
Dec 5 13:28:16.592: dot1x_auth_bend Gi1/0/1: during state auth_bend_request, got event 6(eapolEap)
Dec 5 13:28:16.592: @@@ dot1x_auth_bend Gi1/0/1: auth_bend_request -> auth_bend_response
Dec 5 13:28:16.593: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering response state
Dec 5 13:28:16.593: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Response sent to the server from 0x49000045
Dec 5 13:28:16.593: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:request response action
Dec 5 13:28:16.593: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 5 13:28:16.593: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 5 13:28:16.593: RADIUS(00000000): Config NAS IPv6: ::
Dec 5 13:28:16.594: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 5 13:28:16.594: RADIUS(00000000): sending
Dec 5 13:28:16.594: RADIUS/ENCODE: Best Local IP-Address 172.27.1.98 for Radius-Server 172.16.180.104
Dec 5 13:28:16.594: RADIUS(00000000): Send Access-Request to 172.16.180.104:1645 onvrf(0) id 1645/47, len 321
Dec 5 13:28:16.594: RADIUS: authenticator C1 8F 8B 74 CD 53 CD 67 - BC 57 2A 4C 31 2A C0 80
Dec 5 13:28:16.594: RADIUS: User-Name [1] 27 "user@domain.com"
Dec 5 13:28:16.594: RADIUS: Service-Type [6] 6 Framed [2]
Dec 5 13:28:16.594: RADIUS: Vendor, Cisco [26] 27
Dec 5 13:28:16.594: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Dec 5 13:28:16.594: RADIUS: Framed-MTU [12] 6 1500
Dec 5 13:28:16.594: RADIUS: Called-Station-Id [30] 19 "70-7D-B9-3C-A2-01"
Dec 5 13:28:16.595: RADIUS: Calling-Station-Id [31] 19 "D4-5D-64-6C-D6-56"
Dec 5 13:28:16.595: RADIUS: EAP-Message [79] 32
Dec 5 13:28:16.595: RADIUS: 02 01 00 1E 01 70 61 6F 6C 6F 2E 76 61 72 63 68 65 74 74 61 40 [user@]
Dec 5 13:28:16.595: RADIUS: 61 73 6C 2D 31 31 2E 69 74 [ domain.com]
Dec 5 13:28:16.595: RADIUS: Message-Authenticato[80] 18
Dec 5 13:28:16.595: RADIUS: 88 8F E7 A7 75 78 1A 1F 9D 9A 58 55 B5 CC 2D B3 [ uxXU-]
Dec 5 13:28:16.595: RADIUS: EAP-Key-Name [102] 2 *
Dec 5 13:28:16.595: RADIUS: Vendor, Cisco [26] 49
Dec 5 13:28:16.595: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1B01620000105D0A5FCED6"
Dec 5 13:28:16.595: RADIUS: Vendor, Cisco [26] 20
Dec 5 13:28:16.595: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Dec 5 13:28:16.595: RADIUS: NAS-IP-Address [4] 6 172.27.1.98
Dec 5 13:28:16.595: RADIUS: Nas-Identifier [32] 8 "global"
Dec 5 13:28:16.595: RADIUS: Vendor, Cisco [26] 28
Dec 5 13:28:16.595: RADIUS: cisco-nas-port [2] 22 "GigabitEthernet1/0/1"
Dec 5 13:28:16.596: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/1"
Dec 5 13:28:16.596: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 5 13:28:16.596: RADIUS: NAS-Port [5] 6 50101
Dec 5 13:28:16.596: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 5 13:28:16.596: RADIUS(00000000): Started 5 sec timeout
Dec 5 13:28:18.245: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Dec 5 13:28:19.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Dec 5 13:28:21.634: RADIUS(00000000): Request timed out!
Dec 5 13:28:21.634: RADIUS: Retransmit to (172.16.180.104:1645,1646) for id 1645/47
Dec 5 13:28:21.635: RADIUS(00000000): Started 5 sec timeout
Dec 5 13:28:26.584: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting A_WHILE_EXPIRE on 0x49000045
Dec 5 13:28:26.584: dot1x_auth_bend Gi1/0/1: during state auth_bend_response, got event 9(aWhile_expire)
Dec 5 13:28:26.584: @@@ dot1x_auth_bend Gi1/0/1: auth_bend_response -> auth_bend_timeout
Dec 5 13:28:26.584: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:exiting response state
Dec 5 13:28:26.584: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering timeout state
Dec 5 13:28:26.584: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:response timeout action
Dec 5 13:28:26.584: dot1x_auth_bend Gi1/0/1: idle during state auth_bend_timeout
Dec 5 13:28:26.584: @@@ dot1x_auth_bend Gi1/0/1: auth_bend_timeout -> auth_bend_idle
Dec 5 13:28:26.584: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering idle state
Dec 5 13:28:26.585: dot1x-sm:[d45d.646c.d656, Gi1/0/1] Posting AUTH_TIMEOUT on Client 0x49000045
Dec 5 13:28:26.585: dot1x_auth Gi1/0/1: during state auth_authenticating, got event 14(authTimeout)
Dec 5 13:28:26.585: @@@ dot1x_auth Gi1/0/1: auth_authenticating -> auth_authc_result
Dec 5 13:28:26.585: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:exiting authenticating state
Dec 5 13:28:26.585: dot1x-sm:[d45d.646c.d656, Gi1/0/1] 0x49000045:entering authc result state
Dec 5 13:28:26.585: %DOT1X-5-FAIL: Authentication failed for client (d45d.646c.d656) on Interface Gi1/0/1 AuditSessionID AC1B01620000105D0A5FCED6
Dec 5 13:28:26.585: dot1x-packet:[d45d.646c.d656, Gi1/0/1] Added username in dot1x
Dec 5 13:28:26.585: dot1x-packet:[d45d.646c.d656, Gi1/0/1] Dot1x did not receive any key data
Dec 5 13:28:26.586: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Processing client delete for hdl 0x49000045 sent by Auth Mgr
Dec 5 13:28:26.586: dot1x-ev:[d45d.646c.d656, Gi1/0/1] d45d.646c.d656: sending canned failure due to method termination
Dec 5 13:28:26.586: dot1x-ev:[Gi1/0/1] Sending EAPOL packet to group PAE address
Dec 5 13:28:26.586: dot1x-registry:registry:dot1x_ether_macaddr called
Dec 5 13:28:26.586: dot1x-ev:[Gi1/0/1] Sending out EAPOL packet
Dec 5 13:28:26.586: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Dec 5 13:28:26.586: dot1x-packet: length: 0x0004
Dec 5 13:28:26.586: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Dec 5 13:28:26.587: dot1x-packet:[d45d.646c.d656, Gi1/0/1] EAPOL canned status packet sent to client 0x49000045
Dec 5 13:28:26.587: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Deleting client 0x49000045 (d45d.646c.d656)
Dec 5 13:28:26.587: dot1x-ev:[d45d.646c.d656, Gi1/0/1] Delete auth client (0x49000045) message
Dec 5 13:28:26.587: dot1x-ev:Auth client ctx destroyed
Dec 5 13:28:26.674: RADIUS(00000000): Request timed out!
Dec 5 13:28:26.674: RADIUS: Retransmit to (172.16.180.104:1645,1646) for id 1645/47
Dec 5 13:28:26.674: RADIUS(00000000): Started 5 sec timeout
Dec 5 13:28:31.713: RADIUS(00000000): Request timed out!
Dec 5 13:28:31.713: RADIUS: Retransmit to (172.16.180.104:1645,1646) for id 1645/47
Dec 5 13:28:31.714: RADIUS(00000000): Started 5 sec timeout
Dec 5 13:28:36.743: RADIUS(00000000): Request timed out!
Dec 5 13:28:36.743: RADIUS: No response from (172.16.180.104:1645,1646) for id 1645/47
Dec 5 13:28:36.743: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Dec 5 13:28:36.743: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
I don't know why the RADIUS server doesn't reply, and the requests time out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dec 5 13:28:16.594: RADIUS: User-Name [1] 27 "user@domain.com"
EAP-Message [79] 32
Dec 5 13:28:16.595: RADIUS: 02 01 00 1E 01 70 61 6F 6C 6F 2E 76 61 72 63 68 65 74 74 61 40 [user@]
What is the username that you are testing with?
It does not look like the supplicant is sending the correct username.
FortiNAC as Radius server should reply with a Access-Reject. If it timeouts, it could be that it cannot reach LDAP to validate the user.
Enable the debugging to high in Network>Radius menu and check what error it generates when the timeout happens.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
user@domain.com was added afterward to mask the user's information; the original logging contained the user's details correctly.
Testing from enter-shell using wbinfo with user credentials in the format DOMAIN\user works properly.
On the FortiNAC side, as mentioned, I have enabled service log debug and server log debug, but I only see the test sessions from the switch with "nonExistUser":
(0) Received Access-Request Id 29 from 127.0.0.1:54124 to 127.0.0.1:1645 length 87
(0) User-Name = "nonExistUser"
(0) CHAP-Password = 0xab4706d99dab8ebe1c17f6824d3c811745
(0) CHAP-Challenge = 0xd233c031ab82990e8be38ddaee79341d
(0) NAS-Identifier = "fortinac"
(0) NAS-IP-Address = 172.16.180.104
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [nonExistUser] (from client localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 29 from 127.0.0.1:1645 to 127.0.0.1:54124 length 38
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 29 with timestamp +9 due to cleanup_delay was reached
Ready to process requests
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like FortiNAC is not receiving the request.
Just to be sure this is not some GUI problem, test by enabling a tcpdump in FortiNAC cli:
execute tcpdump -i any host x.x.x.x and port 1812 -v <-- Replace X.X.X.X with the Switch IP
If there is nothing for that user you are testing, it means the packets are dropped along the way and since the switch gets no reposne it will time out.
Created on 12-05-2024 07:45 AM Edited on 12-05-2024 07:46 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
User and domain information masked.
fortinac # execute tcpdump -i any host 172.27.1.98 and port 1645 -v
tcpdump: data link type LINUX_SLL2
dropped privs to admin
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:43:49.766710 port1 In IP (tos 0x0, ttl 254, id 54478, offset 0, flags [none], proto UDP (17), length 349)
172.27.1.98.datametrics > fortinac.domain.com.datametrics: RADIUS, length: 321
Access-Request (1), id: 0x34, Authenticator: 14133013a99344f691113df94e4703a7
User-Name Attribute (1), length: 27, Value: user@domain.com
Service-Type Attribute (6), length: 6, Value: Framed
Vendor-Specific Attribute (26), length: 27, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 19, Value: service-type=Framed
Framed-MTU Attribute (12), length: 6, Value: 1500
Called-Station-Id Attribute (30), length: 19, Value: 70-7D-B9-3C-A2-01
Calling-Station-Id Attribute (31), length: 19, Value: D4-5D-64-6C-D6-56
EAP-Message Attribute (79), length: 32, Value: Response (2), id 1, len 30
Type Identity (1), Identity: user@domain.com
Message-Authenticator Attribute (80), length: 18, Value: .L=..<AX.5.8..U.
EAP-Key-Name Attribute (102), length: 2, Value:
Vendor-Specific Attribute (26), length: 49, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 41, Value: audit-session-id=AC1B0162000011A10ADBE93A
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 12, Value: method=dot1x
NAS-IP-Address Attribute (4), length: 6, Value: 172.27.1.98
NAS-Identifier Attribute (32), length: 8, Value: global
Vendor-Specific Attribute (26), length: 28, Value: Vendor: Cisco (9)
Vendor Attribute: 2, Length: 20, Value: GigabitEthernet1/0/1
NAS-Port-Id Attribute (87), length: 22, Value: GigabitEthernet1/0/1
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
NAS-Port Attribute (5), length: 6, Value: 50101
16:43:54.802198 port1 In IP (tos 0x0, ttl 254, id 54486, offset 0, flags [none], proto UDP (17), length 349)
172.27.1.98.datametrics > fortinac.domain.com.datametrics: RADIUS, length: 321
Access-Request (1), id: 0x34, Authenticator: 14133013a99344f691113df94e4703a7
User-Name Attribute (1), length: 27, Value: user@domain.com
Service-Type Attribute (6), length: 6, Value: Framed
Vendor-Specific Attribute (26), length: 27, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 19, Value: service-type=Framed
Framed-MTU Attribute (12), length: 6, Value: 1500
Called-Station-Id Attribute (30), length: 19, Value: 70-7D-B9-3C-A2-01
Calling-Station-Id Attribute (31), length: 19, Value: D4-5D-64-6C-D6-56
EAP-Message Attribute (79), length: 32, Value: Response (2), id 1, len 30
Type Identity (1), Identity: user@domain.com
Message-Authenticator Attribute (80), length: 18, Value: .L=..<AX.5.8..U.
EAP-Key-Name Attribute (102), length: 2, Value:
Vendor-Specific Attribute (26), length: 49, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 41, Value: audit-session-id=AC1B0162000011A10ADBE93A
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 12, Value: method=dot1x
NAS-IP-Address Attribute (4), length: 6, Value: 172.27.1.98
NAS-Identifier Attribute (32), length: 8, Value: global
Vendor-Specific Attribute (26), length: 28, Value: Vendor: Cisco (9)
Vendor Attribute: 2, Length: 20, Value: GigabitEthernet1/0/1
NAS-Port-Id Attribute (87), length: 22, Value: GigabitEthernet1/0/1
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
NAS-Port Attribute (5), length: 6, Value: 50101
16:43:59.841252 port1 In IP (tos 0x0, ttl 254, id 54493, offset 0, flags [none], proto UDP (17), length 349)
172.27.1.98.datametrics > fortinac.domain.com.datametrics: RADIUS, length: 321
Access-Request (1), id: 0x34, Authenticator: 14133013a99344f691113df94e4703a7
User-Name Attribute (1), length: 27, Value: user@domain.com
Service-Type Attribute (6), length: 6, Value: Framed
Vendor-Specific Attribute (26), length: 27, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 19, Value: service-type=Framed
Framed-MTU Attribute (12), length: 6, Value: 1500
Called-Station-Id Attribute (30), length: 19, Value: 70-7D-B9-3C-A2-01
Calling-Station-Id Attribute (31), length: 19, Value: D4-5D-64-6C-D6-56
EAP-Message Attribute (79), length: 32, Value: Response (2), id 1, len 30
Type Identity (1), Identity: user@domain.com
Message-Authenticator Attribute (80), length: 18, Value: .L=..<AX.5.8..U.
EAP-Key-Name Attribute (102), length: 2, Value:
Vendor-Specific Attribute (26), length: 49, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 41, Value: audit-session-id=AC1B0162000011A10ADBE93A
Vendor-Specific Attribute (26), length: 20, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 12, Value: method=dot1x
NAS-IP-Address Attribute (4), length: 6, Value: 172.27.1.98
NAS-Identifier Attribute (32), length: 8, Value: global
Vendor-Specific Attribute (26), length: 28, Value: Vendor: Cisco (9)
Vendor Attribute: 2, Length: 20, Value: GigabitEthernet1/0/1
NAS-Port-Id Attribute (87), length: 22, Value: GigabitEthernet1/0/1
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
NAS-Port Attribute (5), length: 6, Value: 50101
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The request is being sourced from 172.27.1.98. Is the switch added with this IP in FortiNAC? FortiNAC will ignore RADIUS requests when these are not coming from a Source IP it has in the inventory view.
Enable following debugs in FortiNAC:
diagnose debug plugin enable RadiusAccess
diagnose debug plugin enable RadiusManager
diagnose debug plugin enable BridgeManager
diagnose tail -F output.master
Then recreate again the issue. Ouptut.master logs should show how the request is being processed.
Additionally double check that "radius" and "radius-local" services are allowed on port1.
show system interface
config system interface
edit port1
set ip 10.10.10.6/24
set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, i'm so stupid.
I set
"set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh"
and it solved the issue...
Thank you!
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,746 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
321 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
Fortivoice
54 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.