Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
sisrayilov
Staff
Staff

Created on ‎12-25-2024 11:15 PM

Article Id 365887

Technical Tip: How to check and verify a RADIUS attribute that is configured in a remote group setting on FortiAuthenticator

Description

 

This article describes how to check and verify RADIUS attributes that are configured on a user Group setup on FortiAuthenticator by using ‘fnbamd’ debug logs on FortiGate.

 

Scope

 

FortiAuthenticator

 

Solution

 

RADIUS attributes can be configured on FortiAuthenticator in the following two ways:

  • In a user account setting 
  • In a user group setting where a user belongs to

 

The following two cases are described respectively for a local and a remote user.

A local user case:

If a Group filter option is not enabled and a respective group is not filtered in the related RADIUS policy (‘Identity sources’ section) on FortiAuthenticator, then RADIUS attributes configured on the user account and in the Group settings will both appear in the fnbamd debug log entries on FortiGate.

Screenshot 2024-12-20 145800.png

 

The following ‘fnbamd’ output on a FortiGate (RADIUS client) when a local user ‘localuser@local’ is tested by sending a RADIUS request from FortiGate to FortiAuthenticator to check a user validity.


Debug log output on FortiGate:

diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

# diagnose debug enable

# [1939] handle_req-Rcvd auth req 1301509768 for localuser@local in FortiAuthenticator opt=0100001d prot=0
[489] __compose_group_list_from_req-Group 'FortiAuthenticator', type 1
[616] fnbamd_pop3_start-localuser@local
[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FortiAuthenticator'
[342] fnbamd_create_radius_socket-Opened radius socket 10
[342] fnbamd_create_radius_socket-Opened radius socket 11
[1455] fnbamd_radius_auth_send-Compose RADIUS request
[1412] fnbamd_rad_dns_cb-10.3.8.45->10.3.8.45
[1384] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=10, IP=10.3.8.45(10.3.8.45:1812) code=1 id=0 len=111 user="localuser@local" using PAP
[319] radius_server_auth-Timer of rad 'FortiAuthenticator' is added
[652] create_auth_session-Total 1 server(s) to try
[1980] handle_req-r=4
[1523] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
[1869] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val "LocalGroup"
[323] extract_success_vsas-FORTINET attr, type 1, val "LocalGroupRADATTValue"
 

Note:

‘LocalGroup’ is the RADIUS attribute configured on the local user account setting ‘LocalGroupRADATTValue’ is a RADIUS attribute value configured in a group setting on FortiAuthenticator to make them seem different for better understanding.

Screenshot 2024-12-20 150201.png

 

Screenshot 2024-12-20 150332.png

 
There will be the same fnbamd debug output if the Group filter option is enabled and a respective group which is ‘LocalGroup’ (in this scenario) will be added to the filter. Both configured attributes will be shown the same as the non-filtered case.

As a result, there is no difference for a local user if a group filter is enabled in the RADIUS policy or not, thereby both attributes configured on a local user account and in its group settings will be given in the fnbamd debug output as shown above.

A Remote user case:
A RADIUS attribute that is selected in a group setting will be verified if a respective group is filtered in a RADIUS policy. Otherwise, only a RADIUS attribute that is configured in a remote user setting will be given as an output through the same fnbamd debug logs.

Screenshot 2024-12-20 150625.png
The remote user is a member of RemoteGroup where a RADIUS attribute is typed as ‘RemoteGroupRADATTValue’.

 

Screenshot 2024-12-20 150756.png

 

 

Note:

‘RemoteGroupRADATTValue’ is configured for a testing purpose and to make a difference between a RADIUS attribute configured in a user setting for better understanding.

 

As the respective group (RemoteGroup) is not filtered in the RADIUS policy, only a RADIUS attribute that is configured in a remote user setting will be verified and given as an output in 'fnbamd' logs on FortiGate when a radius request is sent from FortiGate to FortiAuthenticator.

 

In conclusion, there is a need to filter a remote user group in a respective RADIUS policy to get and verify the RADIUS attribute configured in a group setting on FortiAuthenticator. Contrary to a local user, if a group is not filtered in a RADIUS policy only a RADIUS attribute that is configured in a user setting will be verified and given as an output when it is tested for verification.

 

Screenshot 2024-12-20 150941.png
Debug log output on FortiGate:

diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

# diagnose debug enable

[1939] handle_req-Rcvd auth req 1301509772 for remoteuser@isr in FortiAuthenticator opt=0100001d prot=0
[489] __compose_group_list_from_req-Group 'FortiAuthenticator', type 1
[616] fnbamd_pop3_start-remoteuser@isr
[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FortiAuthenticator'
[342] fnbamd_create_radius_socket-Opened radius socket 10
[342] fnbamd_create_radius_socket-Opened radius socket 11
[1455] fnbamd_radius_auth_send-Compose RADIUS request
[1412] fnbamd_rad_dns_cb-10.3.8.45->10.3.8.45
[1384] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=10, IP=10.3.8.45(10.3.8.45:1812) code=1 id=4 len=110 user="remoteuser@isr" using PAP
[319] radius_server_auth-Timer of rad 'FortiAuthenticator' is added
[652] create_auth_session-Total 1 server(s) to try
[1980] handle_req-r=4
[1523] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
[1869] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val "RemoteUserRADATTValue"

 

A RADIUS attribute value that is configured in a group setting will be shown only if the respective group is filtered in the related RADIUS policy.

 

Screenshot 2024-12-20 151353.png

 

The fnbamd debug output after enabling the group filer:

diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

# diagnose debug enable

# [1939] handle_req-Rcvd auth req 1301509773 for remoteuser@isr in FortiAuthenticator opt=0100001d prot=0
[489] __compose_group_list_from_req-Group 'FortiAuthenticator', type 1
[616] fnbamd_pop3_start-remoteuser@isr
[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FortiAuthenticator'
[342] fnbamd_create_radius_socket-Opened radius socket 10
[342] fnbamd_create_radius_socket-Opened radius socket 11
[1455] fnbamd_radius_auth_send-Compose RADIUS request
[1412] fnbamd_rad_dns_cb-10.3.8.45->10.3.8.45
[1384] __fnbamd_rad_send-Sent radius req to server 'FortiAuthenticator': fd=10, IP=10.3.8.45(10.3.8.45:1812) code=1 id=5 len=110 user="remoteuser@isr" using PAP
[319] radius_server_auth-Timer of rad 'FortiAuthenticator' is added
[652] create_auth_session-Total 1 server(s) to try
[1980] handle_req-r=4
[1523] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuthenticator' is deleted
[1869] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val "RemoteUserRADATTValue"
[323] extract_success_vsas-FORTINET attr, type 1, val "RemoteGroupRADATTValue"

198
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.