Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎10-04-2019 07:24 AM Edited on ‎06-12-2025 05:59 AM By Community Manager

Article Id 197118

Technical Tip: RADIUS user credential verification via GUI/web interface

Description

 

This article describes how to verify Radius server user credentials via the GUI/web interface of the FortiGate.

 

Scope

 

FortiGate.

Solution

 

Before FortiOS 6.0.0, it was only possible to check the Radius user credentials via CLI. 
However, starting from FortiOS 6.0.0 and onward, this feature is available on the GUI as well.

To check the Radius server user credentials, go to User & Device -> Radius servers
Edit the configured Radius Server and click on the 'Test User Credentials' button.

 

 
Note: Before testing user credentials, make sure that the Radius Server is already configured and there is no connectivity issues between the FortiGate and Radius Server.

After that, enter the username and password of the user.
 
 
As it is shown on the above screenshot, the FortiGate can check 'Connection status' and 'User credentials' and, upon successfully authenticating, it shows additional information such as Radius 'AVP' and 'VSA'.

Note: Until FortiOS 6.2.6 and FortiOS 6.4.2, the Radius server user credentials check via GUI/web interface works only with the PAP (Password authentication protocol) scheme. This behavior is fixed in later versions of FortiOS.
 
If the user credentials is tested with a Radius Server that does not have 'PAP' enabled, the FortiGate will show an 'Invalid credentials' message:
 
 
When using FortiOS 6.0 or earlier versions than 6.2.6/6.4.2, for all schemes other than 'PAP', it is recommended to test it via the CLI:

diagnose  test  authserver  radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>
 
For example:

diagnose  test  authserver  radius WIN16 mschap2 radiususer1 password
authenticate 'radiususer1' against 'mschap2' succeeded, server=primary assigned_rad_session_id=457812022 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - radiusgroup
 
Radius debugs to collect more logs 

 

     diagnose debug reset

diagnose debug console time enable
diagnose debug application fnbamd -1
diagnose debug enable

 

To stop debugging:

 

diagnose debug disable

 

Related articles:

20293
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.