Skip to main content
Jonathan_Body_FTNT
Staff
Jonathan_Body_FTNT
Staff
September 8, 2010

Technical Tip: Troubleshooting FortiOS authentication issues

  • September 8, 2010
  • 0 replies
  • 25430 views

Description


This article provides some technical tips for troubleshooting FortiOS authentication issues.


Scope


All FortiOS users.

Solution

 

The following article assumes that the following authentication has been configured on the FortiGate:
  • RADIUS server authentication.
  • LDAP server.
  • TACACS+ server.
  • RSA/ACE (SecurID) server.

Note: In multi-VDOM environments, authentication configurations are specific to each VDOM.

Ensure the correct VDOM is selected before running the following commands:

 

config vdom

edit <vdom-name>

 

For diagnose commands, the VDOM can be selected using:


diagnose sys vd select <vdom-name>

 

  1. To show the configuration of the server, on the CLI, type the following commands to show some of the popular authentication servers:
  • show user radius: To show the RADIUS server configuration.
  • show user ldap: To show the LDAP configuration.
  • show user tacacs+: To show the TACACS+ server.

 

Here are all of the options:

 

FGT # show user

adgrp                   Configure FSSO groups.

certificate             Configure certificate users.

domain-controller       Configure domain controller entries.

exchange                Configure MS Exchange server entries.

fortitoken              Configure FortiToken.

fsso                    Configure Fortinet Single Sign On (FSSO) agents.

fsso-polling            Configure FSSO active directory servers for polling mode.

group                   Configure user groups.

krb-keytab              Configure Kerberos keytab entries.

ldap                    Configure LDAP server entries.

local                   Configure local users.

nac-policy              Configure NAC policy matching pattern to identify matching NAC devices.

password-policy         Configure user password policy.

peer                    Configure peer users.

peergrp                 Configure peer groups.

pop3                    POP3 server entry configuration.

quarantine              Configure quarantine support.

radius                  Configure RADIUS server entries.

saml                    SAML server entry configuration.

security-exempt-list    Configure security exemption list.

setting                 Configure user authentication setting.

tacacs+                 Configure TACACS+ server entries.

   

The following example shows an RSA server configured as a simple RADIUS server. (This is mandatory when configuring RSA authentication).
 
FG300B3908-----6 (radius) # show
config user radius
    edit "Radius1"
        set radius-port 1812
        set secret ENC +dBqbWUO2JFy7cgcB1hTP0/CPbLF1RL9iuC41HHPgt8RAQV91PR/Q4c++4xNV6IkHuKr0vXQX8EmBr0rwbhSGr9f71IgRY88d0qecT7qdVty+0DE
        set server "192.168.24.3"
    next
end
 
  1. Open a new CLI console window and set up a sniffer. Here are the sniffer commands to capture traffic from some of the most popular servers:
    • For RADIUS: diag sniffer packet any 'host <IP-address> and (port 1645 or port 1812)' 6 0 l
    • For LDAP/LDAPS: diag sniffer packet any 'host <IP-address> and (port 389 or port 636)' 6 0 l
    • For TACACS+: diag sniffer packet any 'host <IP-address> and port 49' 6 0 l

 

  1. Open another CLI console and execute the following CLI commands for authentication debug:

 

diagnose debug reset
diagnose debug console time enable
diagnose debug application fnbamd -1
diagnose debug enable

 

  1. Perform an authentication test, either in a new CLI console or in the CLI console of step 2:

 

diagnose test authserver <type-of-server> <server-name> <authentication-protocol> <username> <password>

 

  • Here is the list of <type-of-server> that you can do the authentication test:

FGT # diagnose test authserver

radius            Test RADIUS server. [Take 0-4 arg(s)]

tacacs+           test TACACS+ server. [Take 0-3 arg(s)]

radius-direct     Test RADIUS server directly. [Take 0-7 arg(s)]

ldap-direct       Test LDAP server directly. [Take 0-2 arg(s)]

tacacs+-direct    Test TACACS+ server directly. [Take 0-3 arg(s)]

ldap              Test LDAP server. [Take 0-3 arg(s)]

ldap-digest       Test LDAP HA1 password query. [Take 0-2 arg(s)]

ldap-search       Search LDAP server. [Take 0-10 arg(s)]

cert              Test certificate authentication. [Take 0-255 arg(s)]

pop3              Test POP3 server. [Take 0-3 arg(s)]

local             Test local user. [Take 0-3 arg(s)]

user              Test user with group/user ID/name(s). [Take 0-255 arg(s)]

 

  • The supported <authentication-protocol> are: pap chap mschap mschap2
 
This example assumes that PAP authentication is being used by the remote authentication server.
 
diagnose test authserver radius <server> pap <username> <password>
 

If the RADIUS server name has a space in its name, then the server name should be enclosed in double quotation marks (""). For example, if the server name is 'ABC RADIUS', the syntax should be as follows:

 

   diagnose test authserver radius "ABC RADIUS" pap user1 password123

 

  1. Use the following commands to stop the debug output: diagnose debug disable / diagnose debug reset
  2. If after applying the above steps the authentication still fails, collect the output taken in the above steps provide this information with the configuration file of the FortiGate, and contact Fortinet Support.
Terms & ConditionsAccessibility statement