This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fortigate 7.2.6 RADIUS client can't successfully test connection

Fortigate 7.2.6 RADIUS client can't successfully test connection

Flavio
New Contributor III

‎02-02-2024 07:44 AM

Hi all.

Added a Fortigate as RADIUS client but from the Fortigate itself the "test connectivity" is not completing successfully.

With tcpdump on the NAC engine I can see "Access-Request" but no response.

RADIUS client is configured with Authentication Type "Any Access" and would send "RFC 3850 - VLAN ID" attributes. But I don't think this is relevant...

Thanks for any hint!

F.

0 Kudos
6 REPLIES 6

Zdeněk_Pala
Extreme Employee

‎02-04-2024 05:49 AM

my experience with fortigate (years ago) was that firewall did not provide the port in the radius request. I had to add the fortigate as "switch type = VPN"

Zdenk_Pala_0-1707054547030.png

good luck

 

Regards Zdeněk Pala
0 Kudos

James_A
Valued Contributor
In response to Zdeněk_Pala

‎02-04-2024 06:48 PM

FWIW I have it working as L2 access, but test-connectivity didn't until I added it to a location that was in a policy. The RADIUS debug logs are helpful.

James_A_0-1707101186631.png

Fortigate config is very simple:

config user radius
edit "ExtremeControl"
set server "radius.example.com"
# set secret ENC <removed>
set nas-ip 10.20.0.5
set acct-interim-interval 600

0 Kudos

Robert_Haynes
Extreme Employee
In response to Zdeněk_Pala

‎02-04-2024 07:48 AM

A case was opened by Flavio on this; waiting on traces. This is my suspicion as well that the RADIUS request is missing NAS-Port / Port-Id or some combination therein.

0 Kudos

Robert_Haynes
Extreme Employee
In response to Robert_Haynes

‎02-05-2024 08:15 AM - edited ‎02-05-2024 09:41 AM

Confirmed via trace. The FortiGate agent is not supplying NAS-Port which for Switch Type "Layer 2 Out-Of-Band" (default) is a required attribute. The request will be summarily dropped without it.

Should be able to use either "Layer 2 RADIUS Only" or "VPN" to side-step this requirement.

RFC 2865
      An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type
      attribute or both unless the type of access being requested does
      not involve a port or the NAS does not distinguish among its
      ports.

 

EDIT: will also add that the trace indicated the client request was MSCHAPv1. Extreme Control supports PAP, CHAP, MSCHAPv2 and various EAP methods; consider MSCHAPv1 deprecated/obsolete.

0 Kudos
GTM-P2G8KFN