FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpatil
Staff
Staff
Article Id 191430

Description
This article describes how to debug 802.1X authentication failure on managed FortiSwitch upon Certificate refresh or auto-renewal on RADIUS server.


Solution
1) On 'RADIUS Server', check the RADIUS Reject reason.

2) Temporarily turn-off primary RADIUS Server (affected) and verify if Wired clients can authenticate against secondary RADIUS Server (if any)

3) On the affected RADIUS Server – verify if there is any Certificate refresh or Certificate auto-renewal event

4) Delete the affected radius server and associated user group from FortiGate and recreate the radius server and user group.
Note that the radius server will be mapped to the user group and user group will be mapped to the security profile.
Make sure to remove the references associated with RADIUS server and user group to be able to delete it.
Before deleting the config, take FortiGate backup.

5) Re-create the RADIUS server and user group – map the radius server to user group – then map the user group to FortiSwitch 802.1x security profile.

Note.
For User Group and RADIUS Server config steps, see ‘Reference’ section below

6) Synchronize the new configuration with the FortiSwitch unit on FortiGate CLI:

# execute switch-controller trigger-config-sync                    
Note: On FSW v6.4.3 and later, trigger config-sync command on FGT as shown below:
# diagnose switch-controller trigger config-sync <FortiSwitch_Serial>

7) To verify if FortiGate unit and the FortiSwitch unit config are synchronized on FortiGate CLI:

# execute switch-controller get-sync-status all

8) Use below commands on FortiSwitch CLI:

# diagnose switch 802-1x status <portid>              <----- To check 802.1X auth state.
# diagnose switch vlan list <VLAN_ID>                 <----- To check 802.1X port VLAN ID.
# execute log display

9) Thereafter, test if wired clients can authenticate against the affected RADIUS server.

References.

1) Page 6: Setting up port-based 802.1x authentication in a FortiLink setup:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5213c217-37ee-11ea-9384-005056...
2) Page 137: 802.1x authentication deployment example:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/daae6d6f-d2a0-11ea-96b9-005056...
3) FortiSwitch docs:
https://docs.fortinet.com/product/fortiswitch/6.4

Contributors