Fortinet Community

stevenpwest · ‎09-18-2023

Hi

Since upgrading to 7.4.1 none of the 801.x Radius Wifi SSIDS will authenticate.

We have an open support case, but not finding anything specific.

Any one noticed similar behaviour?

Steve

Mrinmoy · ‎09-18-2023

Can you please share the case ID?

Mrinmoy Purkayastha

stevenpwest · ‎09-18-2023

Sure 8770664

Steve

johnathan · ‎09-19-2023

The best way to find out why a wireless client can't connect via RADIUS is by running the debug in this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Debugging-a-wireless-client-connecti...

It will tell you whether or not an attempt is made to the RADIUS server, and what the RADIUS server came back to you with.

stevenpwest · ‎09-19-2023

Hi Running the debug scripts shows a good back and fourth between client and FW

61219.513 ac:74:b1:6a:b0:f8 <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=181 len=343
61219.513 ac:74:b1:6a:b0:f8 <eh> RADIUS message (type=0) <== RADIUS Server code=11 (Access-Challenge) id=181 len=1490

But client never connects

61232.748 ac:74:b1:6a:b0:f8 <eh> ***WPA_PTK ac:74:b1:6a:b0:f8 DISCONNECTED***
12210.748 245 ac:74:b1:6a:b0:f8 <cc> STA_CFG_REQ(125) sta ac:74:b1:6a:b0:f8 del ==> ws (0-10.60.206.40:5246) rId 1 wId 0
12210.749 245 ac:74:b1:6a:b0:f8 <cc> STA del ac:74:b1:6a:b0:f8 vap Syd-VAP ws (0-10.60.206.40:5246) rId 1 wId 0 00:0c:e6:b3:83:d1 sec WPA2 RADIUS action idle_timeout
reason 508
12210.749 245 ac:74:b1:6a:b0:f8 cwAcStaRbtDel: D2C/C2C_STA_DEL remove sta ac:74:b1:6a:b0:f8 10.60.206.40/1/0/3 from staRbt
12210.749 245 ac:74:b1:6a:b0:f8 <dc> STA chg ac:74:b1:6a:b0:f8 vap Syd-VAP ws (0-10.60.206.40:5246) rId 1 wId 0 bssid 00:0c:e6:b3:83:d1 NON-AUTH
12210.749 245 ac:74:b1:6a:b0:f8 <cc> STA chg no key ac:74:b1:6a:b0:f8 vap Syd-VAP ws (0-10.60.206.40:5246) rId 1 wId 0 00:0c:e6:b3:83:d1 sec WPA2 RADIUS user host/SW
10S06301.cbp.local group NULL
12210.749 245 ac:74:b1:6a:b0:f8 <dc> STA chg ac:74:b1:6a:b0:f8 vap Syd-VAP ws (0-10.60.206.40:5246) rId 1 wId 0 bssid 00:0c:e6:b3:83:d1 NON-AUTH
12210.749 245 ac:74:b1:6a:b0:f8 <cc> STA chg no key ac:74:b1:6a:b0:f8 vap Syd-VAP ws (0-10.60.206.40:5246) rId 1 wId 0 00:0c:e6:b3:83:d1 sec WPA2 RADIUS user host/SW
10S06301.cbp.local group NULL
12210.751 245 ac:74:b1:6a:b0:f8 <cc> STA_CFG_RESP(125) ac:74:b1:6a:b0:f8 <== ws (0-10.60.206.40:5246) rc 0 (Success)

No IP address is assigned to client and 801.x auth disassocation is recorded in logs

Steve

johnathan · ‎09-21-2023

Any logs on the RADIUS server? It's asking the client for additional information for some reason.

stevenpwest · ‎09-21-2023

NPS logs are all SUCCUESSFUL

Steve

pmeet · ‎09-19-2023

Hello Steve ,

Please refer: https://community.fortinet.com/t5/FortiGate/Technical-Tip-EAP-Proxy-consuming-high-CPU-after-upgrade...

This was a known issue with the wifi certificate getting updated, can you try to reboot your firewall if you still sees eap_proxy crash in the crash log,

You can also test by configuring one SSID with simple pre shared key authentication to rule out that its only a RADIUS authentication issue,

PATELMM

stevenpwest · ‎09-19-2023

None of the commands show any evidence of a certificate issue. EAP_Proxy is runnig, but not crashing. WAP2 Personal SSID works fine.

Steve

Fortinet Community

Radius Auth issus on FortiGate 7.4.1