FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 191439

Description
This article describes how to troubleshoot clients not connecting to a network managed by NAC using RADIUS.

Solution
1)  Verify Model Configuration for the switch/Controller/Access Point:
SSH/Telnet credentials
VLAN Assignments

2)  RADIUS Secret must match exactly among the following components (no spaces before or after the secret):

  • Model Configuration for the Controller/Access Point in question.  Secrets defined in the SSID Configuration will override the secret defined in the Controller/Access Point model for that specific SSID.
  • switch/Controller/Access Point itself.  Check at the SSID level for secret as well.
  • RADIUS Server (802.1x authentication)
  • RADIUS Server model in NAC (System > Settings > RADIUS)  (802.1x authentication)


3)  Radius Server Model  (802.1x authentication only)
System > Settings > RADIUS

  • The User Name and Password defined in the RADIUS Server model in NAC matches the account created in the RADIUS Server itself.
  • Authentication Port is set for 1812 on both the RADIUS Server model in NAC Sentry and the RADIUS Server.


4)  Confirm NAC is receiving RADIUS Access Requests from the switch/Controller/Access Point, and is responding with either an Accept or Reject.  This can be done via tcpdump:
tcpdump -nni any port <RADIUS Authentication Port> and host <Controller/AP ip address>

 
or
 
Enable RadiusManager debug and review the output.master log in NAC Server/Control Server.


a. In Control Server CLI, type
CampusMgrDebug –name RadiusManager true
cd /bsc/campusMgr/master_loader/
tail -F output.master | egrep -i "xx:xx:xx:xx:xx:xx|xxxxxxxxxxxx|xx-xx-xx-xx-xx-xx"

Example:
tail -F output.master | egrep -i " DC:71:96:11:99:19|DC7196119919|DC-71-96-11-99-19"
 

If using the FortiNAC as the RADIUS termination point, also turn on this debug in addition:

CampusMgrDebug –name RadiusAccess true

 

You should also look at /var/log/radius/radius.log for more local RADIUS debugging.  Be sure to go to the Local RADIUS configuration and turn on Debug&Troubleshooting and FortiNAC Server log Debug to "Enable" for FortiNAC version 9.x and up.

 
b. Have client attempt to connect.
c. Type Ctrl-C to stop tail.

d. Disable debug.  Type
CampusMgrDebug –name RadiusManager false

CampusMgrDebug –name RadiusAccess false
 
 
 
Control Server Not Receiving RADIUS Requests
a. Verify switch/controller/AccessPoint is configured correctly and sending the requests

If the device is not sending requests, contact vendor for further assistance.  It may be helpful to provide the following capturing the behavior:

  • Packet capture taken from FortiNAC CLI of the RADIUS transaction.  The following command will write to a cap file (viewable using applications such as Wireshark): tcpdump -s 0 -w <filename>.cap -i any '(port 1812)'
  • Logs from the Controller covering the same timeframe the packet capture was taken
b. Verify firewall rules to ensure port 1812 is not being blocked
 
 
 
 
Control Server Not Responding

a) 802.1x Authentication
Confirm RADIUS Access Requests are reaching the RADIUS server, and whether or not the server is responding.  This can be verified by taking a packet capture on both NAC Server/Control Server and RADIUS Server sides:
tcpdump -nni any host <RADIUS Server ip address>

  • RADIUS server is not responding: refer to related KB article below.
  • RADIUS server is sending Access Accepts: review output.master logs and consult with Support.
b) Mac Authentication: review output.master logs and consult with Support.
 
 
Control Server Responding with Access Accept
A value in the packet sent by FortiNAC is not accepted by the Controller or Access Point.  A common cause is the secret not matching.  Verify the secret matches between all of the following:
  • Controller or Access Point
  • FortiNAC Model Configuration and SSID Configuration 
  • RADIUS Server (if using 802.1x Authentication)
If the behavior persists, contact vendor for further assistance to determine why the Controller is not processing the response as expected.  Provide the following capturing the behavior:
  • Packet capture taken from FortiNAC CLI of the RADIUS transaction.  The following command will write to a cap file (viewable using applications such as Wireshark): tcpdump -s 0 -w <filename>.cap -i any '(port 1812)'
  • Logs from the Controller covering the same timeframe the packet capture was taken
Cisco WLC debugs can be viewed in the controller's CLI using the following commands
Note: syntax may change based on firmware version.  Refer to Cisco documentation if the following commands do not work
 
debug aaa all enable
 
(Messaging will start to scroll on the screen)
 
To stop:
debug aaa all disable
  • The Controller or Access Point is not operating properly: contact appropriate vendor for further troubleshooting.
Control Server Responding with Access Reject
a) 802.1x Authentication
  • RADIUS server sending Access Reject: review the RADIUS server logs to determine cause.
  • RADIUS server sending Access Accept:
    • In Topology under the Network Access section of the SSID Configuration or Model Configuration, check to see if Access Enforcement is set to Deny for the applicable Host State.  
    • Review output.master logs and consult with Support.
b) MAC Authentication:
  • In Topology under the Network Access section of the SSID Configuration or Model Configuration, check to see if Access Enforcement is set to Deny for the applicable Host State.  
  • Review output.master logs and consult with Support.

 

Related Articles

Technical Note: 802.1x connectivity issues due to no RADIUS server response

Technical Note: Troubleshooting wireless clients moved to the wrong VLAN