| Description |
This article describes the radius server authentication failure error in working configuration while radius server connectivity is successful.
In most of the cases where the existing configurations interrupt or got errors with no changes, or issues with the radius server certificate, need to check the server certificate from radius. |
| Scope | FortiGate 6.X and 7.X. |
| Solution |
Follow the below steps to identify the issue:
# diagnose test authserver radius <radius server_name> <authentication scheme> <username> <password> authenticate ‘<user>’ against 'pap' failed(no response), assigned_rad_session_id=562149323 session_timeout=0 secs idle_timeout=0 secs! <----- This output seems to indicate server is unresponsive
2) Run Radius debug for more details:
# diagnose debug application fnbamd 255
Output sample:
51:1812) code=1 id=39 len=135 user="<user>" using PAP
2022-10-18 06:15:44 [378] radius_start-Didn't find radius servers (0) 2022-10-18 06:15:44 [2855] handle_auth_timeout_with_retry-retry failed 2022-10-18 6:15:44 [2912] handle_auth_timeout_without_retry-No more retry
3) Run the packet capture from Network -> Packet Capture and Sniffer from CLI and filter traffic for server IP and Port 1812 or 1813.
Below is pcap output which shows that: 10.232.98.1 (FortiGate) is requesting for access and 10.71.9.251 (radius server) is sending access-reject(3) which means issue is from radius sever. 'Access-Reject: If any value of the received Attributes is not acceptable, then the RADIUS server will transmit an Access-Reject packet as a response'.
4) If access-rejected(3) error from wireshark capture, authentication failure from FortiGate GUI and authentication failed with authenticating ‘user’ against 'pap' failed(no response) then need to verify from radius server.
Related article: |
