Skip to main content
kwcheng__FTNT
Staff
kwcheng__FTNT
Staff
May 20, 2026

Technical Tip: How to check whether any FortiToken is assigned to a user through radius authentication log

  • May 20, 2026
  • 0 replies
  • 17 views

Description

This article describes how to identify whether any FortiToken is assigned to a user through radius authentication log.

Scope

 FortiAuthenticator.

Solution

When troubleshooting issues related to FortiToken, it is common to check the RADIUS authentication log to troubleshoot any issues related to FortiTokens.


Hereby is an example when a FortiToken is assigned to the user, 'token_type' will display as 'fortitoken':


2026-05-20T23:44:55.100510+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Input raw_username: Testtest Realm: (null) username: TestUser
2026-05-20T23:44:55.110524+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Searching default realm as well
2026-05-20T23:44:55.120542+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Realm not specified, default goes to FAC local user
2026-05-20T23:44:55.132803+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Local user found: TestUser
2026-05-20T23:44:55.142826+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2026-05-20T23:44:55.152845+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2026-05-20T23:44:55.162863+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: fortitoken]


Hereby is an example when a FortiToken is NOT assigned to the user, 'token_type' will display as 'none':


2026-05-20T23:44:55.100510+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Input raw_username: Testtest Realm: (null) username: TestUser
2026-05-20T23:44:55.110524+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Searching default realm as well
2026-05-20T23:44:55.120542+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Realm not specified, default goes to FAC local user
2026-05-20T23:44:55.132803+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Local user found: TestUser
2026-05-20T23:44:55.142826+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2026-05-20T23:44:55.152845+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2026-05-20T23:44:55.162863+08:00 FAC-VM64-KVM radiusd[9999]: (888) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]


The RADIUS authentication log can be found by following these steps:

  1. Log in to the FortiAuthenticator GUI.

  2. Access to 'https://FortiAuthenticator_IP/debug/'.

  3. Under RADIUS -> Authentication.

      Terms & ConditionsAccessibility statement