FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 266131


This article explains the RADIUS server reachability status cache which was introduced in FortiOS 7.4.0.




FortiOS 7.4.




When configuring a secondary or tertiary RADIUS server, all FortiOS versions before version 7.4 would always attempt to contact the primary server first, even when it is unreachable. This creates unnecessary delays in user authentication and can even cause authentication failures with some configurations.


To optimize this behavior, FortiOS 7.4.0 introduced the RADIUS server reachability status cache, which helps prevent sending authentication requests to unresponsive RADIUS servers. When FortiOS detects that a primary RADIUS server failed to respond six times consecutively, it will mark the server as unreachable for 5 minutes (set status-ttl 300), during which the server will not be contacted. FortiOS will instead directly contact the secondary or tertiary servers depending on their status.


The current reachability status of RADIUS servers can be obtained with the CLI command 'diagnose test application fnbamd 6'. Each RADIUS server can have one of the bellow three status codes associated with them:


Status Code Status Name Description
-1 Undetermined No authentication requests have been sent to this server within the configured Time To Live period (set status-ttl 300). Authentication requests can be sent to this server.
0 Unreachable The server failed to respond 6 times consecutively. No requests will be sent to this server until status-ttl times out.
1 Reachable

The server responded at least once within the configured status-ttl period. Authentication requests can be sent to this server.



The basic configuration of the RADIUS profile with primary, secondary, and tertiary servers configured.




config user radius
    edit "FAC"
        set server "" # Primary RADIUS server
        set secret fortinet
        set auth-type pap
        set secondary-server "" # Secondary RADIUS server
        set secondary-secret fortinet
        set tertiary-server "" # Tertiary RADIUS server
        set tertiary-secret fortinet
        set timeout 5 # Time in seconds to retry connecting to next server.
        set status-ttl 300 # Server reachability cache duration


Debug example:

Snippet of FNBAMd debugs output (collected with the command 'diagnose debug application fnbamd -1'), showing an increasing number of connection failures.




# Initiating connection to primary server
2023-07-28 10:12:40 [566] fnbamd_rad_make_access_request-
2023-07-28 10:12:40 [329] __create_access_request-Compose RADIUS request
2023-07-28 10:12:40 [549] __create_access_request-Created RADIUS Access-Request. Len: 100.
2023-07-28 10:12:40 [758] __rad_rxtx-Sent radius req to server 'FAC': fd=11, IP= code=1 id=115 len=100
2023-07-28 10:12:40 [767] __rad_rxtx-Start rad conn timer.

# Since the server did not respond within the configured 5 second timeout period, the connection timed out and the failure counter has been increased (conn_fails 4/5). Since this server already failed to respond four times in a row, it will be marked as unreachable after two more connection timeouts.
2023-07-28 10:12:45 [639] __rad_conn_timeout-Connction with FAC: timed out.
2023-07-28 10:12:45 [907] __rad_error-Ret 10, st = 1.
2023-07-28 10:12:45 [296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
2023-07-28 10:12:45 [930] __rad_error-Conn failed.
2023-07-28 10:12:45 [985] fnbamd_cfg_radius_update_reachability-, conn_fails 4/5
2023-07-28 10:12:45 [725] __rad_rxtx-fd 11, state 1(Auth)
2023-07-28 10:12:45 [727] __rad_rxtx-Stop rad conn timer.


Current server status:

Example of RADIUS server reachability states.




diag test app fnbamd 6
RADIUS servers: (7)
FAC (ref=1)
Flags: 0028
Network Protocol: UDP
Timeout: 5
Server '', port 1812, reachable: 0 (131 secs ago) # The server has been flagged as unreachable 131 seconds ago.
# It will not be used until status-ttl is reached.
Server '', port 1812, reachable: 1 (119 secs ago) # Server is reachable and last responded 119 seconds ago.
Server '', port 1812, reachable: -1 (0 secs ago) # Server status is undetermined as it has not yet been contacted.