Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server
Description
This article describes how to test FortiGate user authentication to the RADIUS server.
Scope
FortiGate.
Solution
The CLI of the FortiGate includes an authentication test command:
diagnose test authserver radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>
Run this test command to verify the RADIUS server configuration is complete and in sync with the RADIUS server.
If there are no issues with the configuration or user credentials, the RADIUS server returns an authentication confirmation and a list of the user groups matched for that user.
Note:
Although RFC 2865 obsoletes RFC 2138, some RADIUS implementations or authentication methods may still exhibit a 16-character password limitation due to legacy behavior or backend constraints.
If authentication issues occur with long passwords, testing with a shorter password or verifying the RADIUS backend implementation is recommended.
For example (command outputs from FortiOS v7.2):
diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.
diagnose debug enable
diagnose test authserver radius radserver1 pap raduser1 password123
[1909] handle_req-Rcvd auth req 1190820099 for raduser1 in radserver1 opt=0100001d prot=0
[489] __compose_group_list_from_req-Group 'radserver1', type 1
[616] fnbamd_pop3_start-raduser1
[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'radserver1'
[342] fnbamd_create_radius_socket-Opened radius socket 10
[342] fnbamd_create_radius_socket-Opened radius socket 11
[1476] fnbamd_radius_auth_send-Compose RADIUS request
[1433] fnbamd_rad_dns_cb-10.5.56.169->10.5.56.169
[1405] __fnbamd_rad_send-Sent radius req to server 'radserver1': fd=10, IP=10.5.56.169(10.5.56.169:1812) code=1 id=1 len=97 user="raduser1" using PAP <- Username and scheme.
[319] radius_server_auth-Timer of rad 'radserver1' is added
[652] create_auth_session-Total 1 server(s) to try
[1950] handle_req-r=4
[1522] fnbamd_auth_handle_radius_result-Timer of rad 'radserver1' is deleted
[1890] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 <- 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge.
[323] extract_success_vsas-FORTINET attr, type 1, val radgroup1 <- RADIUS attributes.
[1548] fnbamd_auth_handle_radius_result-->Result for radius svr 'radserver1' 10.5.56.169(1) is 0 <- 0=Authentication successful, 1=Authentication failed.
[281] find_matched_usr_grps-Skipped group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1190820099, len=2551
authenticate 'raduser1' against 'pap' succeeded, server=primary assigned_rad_session_id=1190820099 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - radgroup1
To stop the debug:
diagnose debug disable
In case there are no debugs, verify the connectivity by using the command below:
Try pinging the RADIUS server:
execute ping a.b.c.d -> a.b.c.d is the server ip
The ping source option can be used to ping the RADIUS server:
execute ping-options source x.x.x.x <----- x.x.x.x is the source IP.
execute ping a.b.c.d <----- a.b.c.d is the server IP.
The packet sniffer can be used to verify that traffic is going out on the correct interface:
Related articles: