FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahameed
Staff
Staff
Description
This article details a FortiGate admin login configured against radius groups,where admin authentication against radius groups is successful from the command line but fails from the GUI.

The authentication test from CLI is successful:

Command Syntax:

diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

Example of a successful test:

diag test authserver radius FGT-Radius  pap  fgtadmin xxxxxx

Debugs Output:

[2127] handle_req-Rcvd auth req 363714660 for cvigabriel in FGT-Radius opt=0000001d prot=0
[355] __compose_group_list_from_req-Group 'FGT-Radius'
[605] fnbamd_pop3_start-cvigabriel
[524] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FGT-Radius'
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 3: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=35 len=102 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2496] fnbamd_radius_group_match-Skipping group matching
[898] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 363714660
[637] destroy_auth_session-delete session 363714660
authenticate 'cvigabriel' against 'pap' succeeded, server=primary assigned_rad_session_id=363714660 session_timeout=0 secs idle_timeout=0 secs!

Admin login attempt from GUI: authentication failure:

# [2127] handle_req-Rcvd auth req 363714661 for cvigabriel in Networking opt=00014001 prot=10
[355] __compose_group_list_from_req-Group 'Networking'
[605] fnbamd_pop3_start-cvigabriel
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[701] auth_tac_plus_start-Didn't find tac_plus servers (0)
[426] ldap_start-Didn't find ldap servers (0)
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 4: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=36 len=109 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2492] fnbamd_radius_group_match-Failed group matching



Solution
In order to solve this problem browse to ( User & Device > User Groups ) then select the radius groups which you have configured to admin login and edit it then change the ' Group Name ' which is ' Networking' in this case to ' Any' And apply.



Radius_group.PNG



Related Articles

Technical Tip: Remote admin login with Radius selecting admin access account profile

Contributors