FortiGate is the RADIUS client while the FortiAuthenticator is the RADIUS server.

The admin user cannot login to the FortiGate using RADIUS authentication after changing the LDAP username password on the AD and FortiAuthenticator.

Based on the RADIUS authentication debug logs, it says invalid credentials and cannot connect to remote LDAP server even though the FortiAuthenticator connection to AD via LDAP is successful.

2025-02-27T15:47:48.619901+05:30 fac radiusd[13006]: (162440) facauth: ERROR: fac_ldap_connect() failed: ldap_simple_bind_s failed: Invalid credentials 80090308: LdapErr: DSID-0C09044B, comment: AcceptSecurityContext error, data 52e, v3839

2025-02-27T15:47:48.619917+05:30 fac radiusd[13006]: (162440) facauth: WARNING: Failed to search remote LDAP server for remote user 'cisco', error: cannot connect to remote ldap server

2025-02-27T15:47:48.619955+05:30 fac radiusd[13006]: (162440) facauth: Updated auth log 'fortinet': Remote LDAP user authentication with no token failed: cannot connect to remote ldap server

2025-02-22T15:47:48.619979+05:30 fac radiusd[13006]: (162440) # Executing group from file /usr/etc/raddb/sites-enabled/default

Based on the FortiAuthenticator logs, it says the LDAP has been reset to offline-stale.

date=2025-02-27 time=07:46:11+0000 oid=3852230 logid=30500 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="Status of remote server (LDAP) at x.x.x.x:389 has been reset to offline-stale" user=

This behavior matches bug 848324. This was fixed on FortiAuthenticator v6.4.7 and v6.5.0. This issue will be triggered if there are any changes to the FortiAuthenticator LDAP config.

This issue was seen on FortiAuthenticator v6.4.4 – v6.4.6.

The workaround is to reboot the FortiAuthenticator or change the LDAP Server Status Cache Timeout to 1 second under Authentication>Remote Auth. Servers>General of FortiAuthenticator.