Skip to Content

How to fix remote wireless user using EAP-TLS have a delay on the response from RADIUS server

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes the utility of the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) deployment in wireless users where the RADIUS server will be reachable over an IPsec VPN, and troubleshooting the delay on the response from the RADIUS server.

Scope

FortiGate, FortiAP

Topology

The remote wireless user using EAP-TLS -> FortiAP ->SW–> FGT1 <– IPSEC Tunnel–> FGT2—-> (Radius-server).

Debug on FGT2: to see the authentication process debug for remote station mac 70:cf:49:e6:c2:c9:

diagnose wireless-controller wlac sta_filter clear
diagnose wireless-controller wlac sta_filter 70:cf:49:e6:c2:c9 255
di debug console timestamp enable
diag deb en
diagnose wireless-controller wlac sta_filter
STA Filter Index 0/1 sta 70:cf:49:e6:c2:c9 log-enabled 255
di de en
2024-08-07 14:46:39 01589.157 70:cf:49:e6:c2:c9 <ih> IEEE 802.11 mgmt::assoc_req <== 70:cf:49:e6:c2:c9 ws (1-10.136.8.131:5246) ...
...
2024-08-07 14:46:39 01589.158 70:cf:49:e6:c2:c9 <ih> IEEE 802.11 mgmt::assoc_resp ==> 70:cf:49:e6:c2:c9 ws (1-10.136.8.131:5246) ...
..
2024-08-07 14:47:17 01628.998 70:cf:49:e6:c2:c9 cwd_sta_idle_timeout_notify sta 70:cf:49:e6:c2:c9
2024-08-07 14:47:17 01628.999 70:cf:49:e6:c2:c9 cwAcProcInputLocalMsg: cwAcKernDataDelSta failed 70:cf:49:e6:c2:c9 rId 0 wId 0
2024-08-07 14:47:17 01628.999 70:cf:49:e6:c2:c9 <dc> STA del 70:cf:49:e6:c2:c9 ws (1-10.136.8.131:5246) vap GRUPO test
2024-08-07 14:47:17 01628.999 70:cf:49:e6:c2:c9 cwAcProcInputLocalMsg D2C_STA_DEL wl GRUPO test
2024-08-07 14:47:17 01628.999 70:cf:49:e6:c2:c9 <ih> IEEE 802.11 mgmt::disassoc ==> 70:cf:49:e6:c2:c9 ...
..... 0 74:78:a6:05:91:08 sec WPA2 RADIUS action idle_timeout reason 0
2024-08-07 14:47:18 01628.000 70:cf:49:e6:c2:c9 cwAcStaRbtDel: D2C/C2C_STA_DEL remove sta 70:cf:49:e6:c2:c9

Step 1: Set all devices on the way to point the same NTP server: more data on custom NTP on the FortiGate side link: Technical Tip: Custom NTP server configuration

Step 2: Increase remoteauthtimeout on FGT2:

config system global
set remoteauthtimeout 60
end

Step 3: On both FortiGates sides, on the rule that allows in/out access to this traffic, edit tcp-mms value:

config firewall policy
edit ID <----- ID of rule.
tcp-mss-sender 1400
tcp-mss-receiver 1400
set auto-asic-offload disable
set np-acceleration disable
end

Clear old sessions, to force the new sessions to take policy modifications:

diag sys session filter policy ID
diag sys session cl

After these modifications, ‘Malformed Packets: Radius’ disappeared:

After these modifications, 'Malformed Packets: Radius' disappeared.