According to the admin guide, local admins can be used for Radius authentication with two mandatory options:
- Enable the option ‘Allow Radius Authentication’ (configured in the user section):
- PAP as authentication method (configured in radius settings of Radius-client). Article from the documentation Administrators.
Below, it is possible to see the debug outputs for the different authentication methods selected (informing that there was FortiGate used as a Radius Client). It has been tested with an SSL VPN connection:
- Authentication method selected PAP on FGT Radius settings, or default (there are only snippets of debugs from FAC’s radius debug):
---------------------------------------------------------------------------
2024-02-29T08:19:20.952159+01:00 FortiAuthenticator radiusd[14827]: (83) # Executing group from file /usr/etc/raddb/sites-enabled/default 2024-02-29T08:19:20.952245+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Client type: external (subtype: radius) 2024-02-29T08:19:20.952256+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Input raw_username: (null) Realm: (null) username: fac.admin 2024-02-29T08:19:20.952265+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Searching default realm as well 2024-02-29T08:19:20.952291+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Realm not specified, default goes to FAC local user 2024-02-29T08:19:20.954251+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Local user found: fac.admin 2024-02-29T08:19:20.954279+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0] 2024-02-29T08:19:20.954292+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject] 2024-02-29T08:19:20.954304+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none] 2024-02-29T08:19:20.967255+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Authentication OK 2024-02-29T08:19:20.967329+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Setting 'Post-Auth-Type := FACAUTH' 2024-02-29T08:19:20.968740+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Updated auth log 'fac.admin': Local administrator authentication with no token successful 2024-02-29T08:19:20.968851+01:00 FortiAuthenticator radiusd[14827]: (83) # Executing group from file /usr/etc/raddb/sites-enabled/default 2024-02-29T08:19:20.969044+01:00 FortiAuthenticator radiusd[14827]: (83) Sent Access-Accept Id 23 from 172.20.20.20:1812 to 172.20.20.1:21408 length 20
---------------------------------------------------
- Authentication method is – mschap-v2, debug outputs from FortiAuthenticator:
---------------------------------------------------
2024-02-28T17:24:24.159749+01:00 FortiAuthenticator radiusd[14827]: Not doing PAP as Auth-Type is already set. 2024-02-28T17:24:24.159759+01:00 FortiAuthenticator radiusd[14827]: (74) # Executing group from file /usr/etc/raddb/sites-enabled/default 2024-02-28T17:24:24.159779+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Client type: external (subtype: radius) 2024-02-28T17:24:24.159785+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Input raw_username: (null) Realm: (null) username: fac.admin 2024-02-28T17:24:24.159791+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Searching default realm as well 2024-02-28T17:24:24.159799+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Realm not specified, default goes to FAC local user 2024-02-28T17:24:24.160697+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Local user found: fac.admin 2024-02-28T17:24:24.160707+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0] 2024-02-28T17:24:24.160714+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject] 2024-02-28T17:24:24.160721+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none] 2024-02-28T17:24:24.160730+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: ERROR: ERROR: local user 'fac.admin' auth require "User-Password" (pap) 2024-02-28T17:24:24.160743+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Authentication failed 2024-02-28T17:24:24.160794+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Updated auth log 'fac.admin': Local administrator authentication(mschap) with no token failed: invalid user parameter 2024-02-28T17:24:24.160814+01:00 FortiAuthenticator radiusd[14827]: (74) # Executing group from file /usr/etc/raddb/sites-enabled/default 2024-02-28T17:24:24.492177+01:00 FortiAuthenticator radiusd[14827]: Waking up in 0.6 seconds. 2024-02-28T17:24:25.164202+01:00 FortiAuthenticator radiusd[14827]: (74) Sent Access-Reject Id 3 from 172.20.20.20:1812 to 172.20.20.1:13741 length 2
---------------------------------------
|