This article describes how to troubleshoot when hosts are getting Radius-Reject and the file radius.log contains the error ‘ssl3_get_client_hello:no shared cipher’.
Scope
FortiNAC, FortiNAC-F.
Solution
This issue is because the host is not offering a cipher on the allowed list in the FortiNAC Radius TLS Configuration.
If supplicant configuration is unable to be retrieved from the connecting host a packet capture can provide the necessary details. Commands and examples of how and what to capture can be found here.
- Open the PCAP on the computer with Wireshark.
- Locate the Access-Request packet.
- Expand the tree until finding the section ‘Cipher Suites’ under Radius Protocol > Attribute Value Pairs > EAP-Message > Extensible Authentication Protocol > Transport Layer Security > Handshake Protocol: Client Hello > Cipher Suites .
Compare the list from the PCAP to the available ciphers found in the Local Radius config on the FortiNAC GUI:
- Log in to the Admin GUI with the credentials.
- Enter the RADIUS config menu via Network > Radius.
- Select the appropriate config from the bottom of the screen and select the TLSDetails button.
- The Ciphers list will appear along with a ‘+’ button to add more ciphers.
- Add at least one of the ciphers from the PCAP.
The HOST and the Local Radius server will now have a common cipher.