Description

This article details a FortiGate admin login configured against RADIUS groups, where admin authentication against RADIUS groups is successful from the command line but fails from the GUI.

Scope

FortiGate.

Solution

To run the debugs on the CLI of FortiGate follow:

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diag debug app authd -1

diagnose debug enable 

The authentication test from CLI is successful:

Command Syntax:

diag test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

Example of a successful test:

diag test authserver radius FGT-Radius  pap  fgtadmin xxxxxx

Debugs Output:

[2127] handle_req-Rcvd auth req 363714660 for cvigabriel in FGT-Radius opt=0000001d prot=0
[355] __compose_group_list_from_req-Group 'FGT-Radius'
[605] fnbamd_pop3_start-cvigabriel
[524] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FGT-Radius'
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 3: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=35 len=102 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2496] fnbamd_radius_group_match-Skipping group matching
[898] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 363714660
[637] destroy_auth_session-delete session 363714660
authenticate 'cvigabriel' against 'pap' succeeded, server=primary assigned_rad_session_id=363714660 session_timeout=0 secs idle_timeout=0 secs!

Admin login attempt from GUI: authentication failure:

# [2127] handle_req-Rcvd auth req 363714661 for cvigabriel in Networking opt=00014001 prot=10
[355] __compose_group_list_from_req-Group 'Networking'
[605] fnbamd_pop3_start-cvigabriel
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[701] auth_tac_plus_start-Didn't find tac_plus servers (0)
[426] ldap_start-Didn't find ldap servers (0)
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 4: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=36 len=109 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2492] fnbamd_radius_group_match-Failed group matching

To solve this problem browse to (User & Device -> User Groups) then select the remote groups which are configured to admin login and edit it then change the 'Group Name' which is 'Networking' in this case to 'Any', and apply.

Group 'Networking' exists on the FortiGate.

 Note: If FortiAuthenticator is used as a RADIUS server, the user groups are to be added to the RADIUS policy as highlighted

 The groups highlighted are the groups that exist on the FortiAuthenticator.

Related articles:

Technical Tip: Remote admin login with Radius selecting admin access account profile

Technical Tip: FortiGate admin access using FortiAuthenticator