Technical Tip: How to Collect Logs for FortiAuthenticator OWA Agent and Basic Troubleshooting Information
Description
This article describes the steps required to collect logs for the FortiAuthenticator OWA Agent and essential troubleshooting information.
Scope
FortiAuthenticator.
Solution
Key Logs to Collect:
To begin troubleshooting, ensure the following logs are collected:
- FortiAuthenticator IIS Agent Logs: Location: C:\Program Files\Fortinet\FortiAuthenticator IIS Agent\Web\bin\log
Log Files:
FAC_IIS_Agent.LoginForm_log.txt
FAC_IIS_Agent.Configuration_log.txt
- FortiAuthenticator Debug Logs: Access the following debug logs directly from the FortiAuthenticator web interface:
- RADIUS Debug Logs: https://<FortiAuthenticator-IP>/debug/radius/
- Push Service Debug Logs: https://<FortiAuthenticator-IP>/debug/wad-service/
- REST API Debug Logs: https://<FortiAuthenticator-IP>/debug/rest_api/
Troubleshooting Steps:
- Identify the Affected User: Before gathering logs, test with a user who has the problem.
- SSH into FortiAuthenticator: Establish an SSH session on a FortiAuthenticator device using an SSH client like PuTTY or any terminal tool.
- Enable Debugging: Once logged in via SSH, run the following commands to enable detailed debugging on the FortiAuthenticator:
diagnose system wad debug all
diagnose system wad debug pts enable
To stop debugging:
diagnose system wad debug clear
diagnose system wad debug pts clear
- Verify Debug Mode on the FortiAuthenticator Web Interface: Navigate to https://<FortiAuthenticator-IP>/debug/radius on the FortiAuthenticator Web Interface. Ensure that the 'DEBUGGING MODE ACTIVE' status is displayed in red. If it is not, select the 'Enter Debug Mode' button to activate debugging.
- Test Authentication Flows: Perform two different tests to gather relevant debug data:
For example:
- Test 1: Attempt an OWA login using the Push Notification. Note the time stamp.
- Test 2: Attempt an OWA login using the Manual Token. Note the time stamp.
- Attach Logs to the Support Ticket: After performing the tests, collect the following logs and attach them to the support ticket:
- REST API Debug Logs: https://<FortiAuthenticator-IP>/debug/rest_api
- RADIUS Authentication Logs: https://<FortiAuthenticator-IP>/debug/radius
- WAD Debug Logs: https://<FortiAuthenticator-IP>/debug/wad-service
- FortiAuthenticator IIS Agent Logs: FAC_IIS_Agent.LoginForm_log.txt and FAC_IIS_Agent.Configuration_log.txt