This article explains the RADIUS server reachability status cache which was introduced in FortiOS 7.4.0.
FortiOS 7.4.
When configuring a secondary or tertiary RADIUS server, all FortiOS versions before version 7.4 would always attempt to contact the primary server first, even when it is unreachable. This creates unnecessary delays in user authentication and can even cause authentication failures with some configurations.
To optimize this behavior, FortiOS 7.4.0 introduced the RADIUS server reachability status cache, which helps prevent sending authentication requests to unresponsive RADIUS servers. When FortiOS detects that a primary RADIUS server failed to respond six times consecutively, it will mark the server as unreachable for 5 minutes (set status-ttl 300), during which the server will not be contacted. FortiOS will instead directly contact the secondary or tertiary servers depending on their status.
The current reachability status of RADIUS servers can be obtained with the CLI command 'diagnose test application fnbamd 6'. Each RADIUS server can have one of the bellow three status codes associated with them:
Status Code | Status Name | Description |
-1 | Undetermined | No authentication requests have been sent to this server within the configured Time To Live period (set status-ttl 300). Authentication requests can be sent to this server. |
0 | Unreachable | The server failed to respond 6 times consecutively. No requests will be sent to this server until status-ttl times out. |
1 | Reachable |
The server responded at least once within the configured status-ttl period. Authentication requests can be sent to this server. |
Configuration:
The basic configuration of the RADIUS profile with primary, secondary, and tertiary servers configured.
config user radius
edit "FAC"
set server "10.109.19.24" # Primary RADIUS server
set secret fortinet
set auth-type pap
set secondary-server "10.109.20.23" # Secondary RADIUS server
set secondary-secret fortinet
set tertiary-server "10.211.0.195" # Tertiary RADIUS server
set tertiary-secret fortinet
set timeout 5 # Time in seconds to retry connecting to next server.
set status-ttl 300 # Server reachability cache duration
next
end
Debug example:
Snippet of FNBAMd debugs output (collected with the command 'diagnose debug application fnbamd -1'), showing an increasing number of connection failures.
# Initiating connection to primary server 10.109.19.24
2023-07-28 10:12:40 [566] fnbamd_rad_make_access_request-
2023-07-28 10:12:40 [329] __create_access_request-Compose RADIUS request
2023-07-28 10:12:40 [549] __create_access_request-Created RADIUS Access-Request. Len: 100.
2023-07-28 10:12:40 [758] __rad_rxtx-Sent radius req to server 'FAC': fd=11, IP=10.109.19.24(10.109.19.24:1812) code=1 id=115 len=100
2023-07-28 10:12:40 [767] __rad_rxtx-Start rad conn timer.
# Since the server did not respond within the configured 5 second timeout period, the connection timed out and the failure counter has been increased (conn_fails 4/5). Since this server already failed to respond four times in a row, it will be marked as unreachable after two more connection timeouts.
2023-07-28 10:12:45 [639] __rad_conn_timeout-Connction with FAC:10.109.19.24 timed out.
2023-07-28 10:12:45 [907] __rad_error-Ret 10, st = 1.
2023-07-28 10:12:45 [296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
2023-07-28 10:12:45 [930] __rad_error-Conn failed.
2023-07-28 10:12:45 [985] fnbamd_cfg_radius_update_reachability-10.109.19.24, conn_fails 4/5
2023-07-28 10:12:45 [725] __rad_rxtx-fd 11, state 1(Auth)
2023-07-28 10:12:45 [727] __rad_rxtx-Stop rad conn timer.
Current server status:
Example of RADIUS server reachability states.
diag test app fnbamd 6
...
RADIUS servers: (7)
...
FAC (ref=1)
Flags: 0028
Network Protocol: UDP
Timeout: 5
Server '10.109.19.24', port 1812, reachable: 0 (131 secs ago) # The server has been flagged as unreachable 131 seconds ago.
# It will not be used until status-ttl is reached.
Server '10.109.20.23', port 1812, reachable: 1 (119 secs ago) # Server is reachable and last responded 119 seconds ago.
Server '10.211.0.195', port 1812, reachable: -1 (0 secs ago) # Server status is undetermined as it has not yet been contacted.
...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.