Showing results for 
Search instead for 
Did you mean: 

Fortigate 7.2.6 RADIUS client can't successfully test connection

Fortigate 7.2.6 RADIUS client can't successfully test connection

New Contributor III

Hi all.

Added a Fortigate as RADIUS client but from the Fortigate itself the "test connectivity" is not completing successfully.

With tcpdump on the NAC engine I can see "Access-Request" but no response.

RADIUS client is configured with Authentication Type "Any Access" and would send "RFC 3850 - VLAN ID" attributes. But I don't think this is relevant...

Thanks for any hint!



Extreme Employee

my experience with fortigate (years ago) was that firewall did not provide the port in the radius request. I had to add the fortigate as "switch type = VPN"


good luck


Regards Zdeněk Pala

FWIW I have it working as L2 access, but test-connectivity didn't until I added it to a location that was in a policy. The RADIUS debug logs are helpful.


Fortigate config is very simple:

config user radius
edit "ExtremeControl"
set server ""
# set secret ENC <removed>
set nas-ip
set acct-interim-interval 600

A case was opened by Flavio on this; waiting on traces. This is my suspicion as well that the RADIUS request is missing NAS-Port / Port-Id or some combination therein.

Confirmed via trace. The FortiGate agent is not supplying NAS-Port which for Switch Type "Layer 2 Out-Of-Band" (default) is a required attribute. The request will be summarily dropped without it.

Should be able to use either "Layer 2 RADIUS Only" or "VPN" to side-step this requirement.

RFC 2865
An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type attribute or both unless the type of access being requested does not involve a port or the NAS does not distinguish among its ports.


EDIT: will also add that the trace indicated the client request was MSCHAPv1. Extreme Control supports PAP, CHAP, MSCHAPv2 and various EAP methods; consider MSCHAPv1 deprecated/obsolete.