Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

Created on ‎01-01-2025 11:50 PM Edited on ‎01-01-2025 11:52 PM

Issue with dot1x on FortiNAC

Hey,

 

I configured dot1x on FortiNAC with these and trying with Aruba AOS-CX Switch; (Winbind joined and Radius services running)

 

 

Screenshot_2.pngScreenshot_3.pngScreenshot_4.pngScreenshot_5.pngScreenshot_6.png

 

When I try to connect, I see logs with the correct username but FortiNAC does not send reply packet.

 

 

10:38:54.579232 IP (tos 0x0, ttl 62, id 13822, offset 0, flags [DF], proto UDP (17), length 199)
    10.8.4.4.35733 > trnacsr01.test.local.radius: RADIUS, length: 171
        Access-Request (1), id: 0x30, Authenticator: 4be24ae1715b87beb75e8daa5fd19d8f
          User-Name Attribute (1), length: 23, Value: TEST\baris.yilmaz
          Calling-Station-Id Attribute (31), length: 19, Value: E8-80-88-E9-46-69
          NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
          NAS-Port-Id Attribute (87), length: 8, Value: 1/1/23
          NAS-Port Attribute (5), length: 6, Value: 23
          Service-Type Attribute (6), length: 6, Value: Framed
          EAP-Message Attribute (79), length: 28, Value: ..
          Message-Authenticator Attribute (80), length: 18, Value: ..SD.=8..z..V.0.
          Called-Station-Id Attribute (30), length: 19, Value: EC-50-AA-2C-6B-80
          NAS-Identifier Attribute (32), length: 12, Value: TRTESTSW03
          NAS-IP-Address Attribute (4), length: 6, Value: 10.8.4.4
10:38:59.582905 IP (tos 0x0, ttl 62, id 14204, offset 0, flags [DF], proto UDP (17), length 199)
    10.8.4.4.35733 > trnacsr01.test.local.radius: RADIUS, length: 171
        Access-Request (1), id: 0x30, Authenticator: 4be24ae1715b87beb75e8daa5fd19d8f
          User-Name Attribute (1), length: 23, Value: TEST\baris.yilmaz
          Calling-Station-Id Attribute (31), length: 19, Value: E8-80-88-E9-46-69
          NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
          NAS-Port-Id Attribute (87), length: 8, Value: 1/1/23
          NAS-Port Attribute (5), length: 6, Value: 23
          Service-Type Attribute (6), length: 6, Value: Framed
          EAP-Message Attribute (79), length: 28, Value: ..
          Message-Authenticator Attribute (80), length: 18, Value: ..SD.=8..z..V.0.
          Called-Station-Id Attribute (30), length: 19, Value: EC-50-AA-2C-6B-80
          NAS-Identifier Attribute (32), length: 12, Value: TRTESTSW03
          NAS-IP-Address Attribute (4), length: 6, Value: 10.8.4.4

 

Labels:
245
0 Kudos
9 REPLIES 9
ebilcari
Staff
Staff

Created on ‎01-02-2025 12:41 AM

Firstly you may not need the Authentication Policy, there is common misconception about it, you can read more about it in this discussion.

Is the authentication port configured to be 1812 in FNAC under RADIUS configuration and is the switch modeled using the IP 10.8.4.4?

Some helpful logs can be read from GUI in RADIUS > View Logs, Service Log.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
220
barisben
New Contributor
In response to ebilcari

Created on ‎01-02-2025 12:55 AM Edited on ‎01-02-2025 01:05 AM

Okay, I deleted the Authentication Policy. Auth port configured 1812 and switch modeled for sure. Will edit for logs.

 

 

216
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎01-02-2025 01:06 AM

Can you specify the FNAC version that is currently running? Is there any other existing network device that is currently doing successful RADIUS authentication with FNAC?

The content in the logs is related to this behavior and can be ignored. You can also temporary increase the debug level in 'Service Log Debug'.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
200
barisben
New Contributor
In response to ebilcari

Created on ‎01-02-2025 01:11 AM Edited on ‎01-02-2025 01:12 AM

When I delete Authentication Policy, now I can see the logs from Service Log and FortiNAC sent access-accept but it says VLAN = 1 so not changing to the correct VLAN. FortiNAC v9.4.7 btw. User belongs to the ITNS VLAN.

 

 

(62) Login OK: [COKYASAR\baris.yilmaz] (from client 10.8.4.4 port 23 cli E8-80-88-E9-46-69)
(62) Sent Access-Accept Id 114 from 10.6.7.18:1812 to 10.8.4.4:57932 length 0
(62)   User-Name = "TEST\\baris.yilmaz"
(62)   Tunnel-Type = VLAN
(62)   Tunnel-Private-Group-Id = "1"
(62)   Tunnel-Medium-Type = IEEE-802
(62)   MS-MPPE-Recv-Key = 0x79b287230ffba6d40495f0de85978789ff88fe4dfb5947f1ab0e2e7f51d2d939
(62)   MS-MPPE-Send-Key = 0x8e0fa0f9e3e8f1a6f1735bb95abfdaaa7b3b76f54cfe85abff61a4a5cf378d85
(62)   EAP-Message = 0x03b10004
(62)   Message-Authenticator = 0x00000000000000000000000000000000
(62) Finished request

 

194
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎01-02-2025 01:19 AM

This may be an indication that the UH profile in the Network access policy is not matching. You can try to simplify 'dot1x_ITNS', for example to check only the location and than later try to add more conditions.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
187
barisben
New Contributor
In response to ebilcari

Created on ‎01-02-2025 02:17 AM Edited on ‎01-02-2025 02:46 AM

When I delete the RADIUS Req Attribute "EAP-Type-Name: PEAP" it worked. But why? I need to check if Wireless or Wired after this test. And the other thing is if I login with not valid user, FortiNAC does not push me to Register VLAN. It assigns to VLAN 1.

137
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎01-02-2025 02:48 AM Edited on ‎01-02-2025 02:56 AM

The RADIUS filters are not heavily used as I have seen, there are plenty of other conditions used to match the hosts.

Anyway, the conditions that can be used as filters can be checked in the Endpoint Fingerprints for the desired hosts. You can try to match it with the full value like: 'EAP-Type-Name' 'MSCHAPV2,PEAP' or use 'EAP-Type' '26,25':

 

radius attribute uhp.PNG

 

Make sure to enforce 'Forced Registration' and 'Role Based Access' in Port Group membership.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
126
0 Kudos
barisben
New Contributor
In response to ebilcari

Created on ‎01-02-2025 03:08 AM

'Forced Registration' and 'Role Based Access' both selected already.

117
0 Kudos
ebilcari
Staff
Staff
In response to barisben

Created on ‎01-03-2025 03:11 AM

If the host is rogue and the Registration is enforced, the registration VLAN should be sent in the Access-Accept. Make sure that the host is not being automatically registered or if the registration VLAN is not configured in the switch.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
39
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.