Troubleshooting Tip: FortiConnect side logs shows as Authentication succeeded but authorization policy has denied access

Wireless clients connect to the SSID and get the External captive portal page from the Forti Connect. After supplying the username and password credentials, it shows a blank page.

Troubleshooting to be done:

• Check on the FortiConnect side by enabling the Radius authentication logging Under the Logs & Reports and Radius authentication menu.
  
  

It shows the following:

• Check on the system logs by enabling 'Error & Notice & Info & Debug' for Radius on the FortiConnect and it shows the following:

12:02:35.3862+00,Complete,23,172.31.254.2,46,1,3,In,MS-CHAP-Error,7E=691 R=1 C=b7ff2f635548b5241513169a37519518 V=3 M=Authentication rejected
82,192.168.60.6,xx:xx:xx:xx:xx:xx,xxxxxx@xxxx.local, ,192.168.60.1,9089,"Authentication succeeded, but the Authorization Policy has denied access", ,2023-08-01 12:02:34.2808+00,2023-08-01 12:02:34.368+00,Complete,22,172.31.254.2,43,0,1,In,NAS-Identifier,FW-FGT3HD

• Check the Dashboard logs of the FortiConnect GUI and it shows the following:
  
  

In this case, the Dashboard logs show that 192.168.60.6 users are trying to authenticate from an invalid location/ wrong location. 192.168.60.6 is the wireless client's IP address.

Dashboard logs show that some entries with location are missing under the Authorization profile.

• Check the specific Authorization profile that is used on the FortiConnect for the user tested on the wireless client.
  
  

1. Select the specific Authorization profile from the FortiConnect GUI which will allow to edit the configuration of the Authorization profile.
2. Select the Location tab inside the authorization profile config and add the specific client subnet which is required 192.168.60.0/24. It is also possible to add multiple subnets/IP addresses.

The format for the subnets should be as follows: Subnet/subnet mask.

     3. The above-mentioned subnet and subnet mask values allow the requests to come from the specific subnet.