Description

This article details a FortiGate admin login configured against RADIUS groups, where admin authentication against RADIUS groups is successful from the command line but fails from the GUI.

Scope

FortiGate.

Solution

To run the debugs on the CLI of FortiGate follow:

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diagnose debug app authd -1

diagnose debug enable 

The authentication test from the CLI is successful:

Command Syntax:

diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

Example of a successful test:

diagnose test authserver radius FGT-Radius  pap  fgtadmin xxxxxx

Debug Output:

[2127] handle_req-Rcvd auth req 363714660 for cvigabriel in FGT-Radius opt=0000001d prot=0
[355] __compose_group_list_from_req-Group 'FGT-Radius'
[605] fnbamd_pop3_start-cvigabriel
[524] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FGT-Radius'
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 3: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=35 len=102 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2496] fnbamd_radius_group_match-Skipping group matching
[898] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 363714660
[637] destroy_auth_session-delete session 363714660
authenticate 'cvigabriel' against 'pap' succeeded, server=primary assigned_rad_session_id=363714660 session_timeout=0 secs idle_timeout=0 secs!

Admin login attempt from GUI: authentication failure:

# [2127] handle_req-Rcvd auth req 363714661 for cvigabriel in Networking opt=00014001 prot=10
[355] __compose_group_list_from_req-Group 'Networking'
[605] fnbamd_pop3_start-cvigabriel
[304] fnbamd_create_radius_socket-Opened radius socket 13
[304] fnbamd_create_radius_socket-Opened radius socket 14
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[39] fnbamd_dns_resolv-DNS req 'emernps.emer.local'
[281] radius_server_auth-Timer of rad 'FGT-Radius' is added
[701] auth_tac_plus_start-Didn't find tac_plus servers (0)
[426] ldap_start-Didn't find ldap servers (0)
[492] create_auth_session-Total 1 server(s) to try
[193] fnbamd_dns_parse_resp-req 4: 10.1.1.235
[1305] fnbamd_rad_dns_cb-emernps.emer.local->10.1.1.235
[1280] __fnbamd_rad_send-Sent radius req to server 'FGT-Radius': fd=13, IP=emernps.emer.local(10.1.1.235:1645) code=1 id=36 len=109 user="cvigabriel" using PAP
[2539] fnbamd_auth_handle_radius_result-Timer of rad 'FGT-Radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2565] fnbamd_auth_handle_radius_result-->Result for radius svr 'FGT-Radius' emernps.emer.local(0) is 0
[2492] fnbamd_radius_group_match-Failed group matching

To solve this problem, browse to (User & Device -> User Groups), then select the remote groups which are configured to admin login and edit them, then change the 'Group Name', which is 'Networking' in this case,e to 'Any', and apply.

Group 'Networking' exists on the FortiGate.

 Note:

If FortiAuthenticator is used as a RADIUS server, the user groups are to be added to the RADIUS policy as highlighted

 The highlighted groups are the groups that exist on the FortiAuthenticator.

Related articles:

Technical Tip: Remote admin login with Radius selecting admin access account profile

Technical Tip: FortiGate admin access using FortiAuthenticator