Troubleshooting Tip: RADIUS authentication troubleshooting

Description

This article describes how to solve most common problems with RADIUS.

Scope

FortiGate, RADIUS.

Solution

To test the RADIUS object and see if this is working properly, use the following CLI command:

diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>

Note:

<RADIUS server_name> <- Name of RADIUS object on FortiGate.

The authentication scheme could be one of the following: Pap, Chap, mschap2, mschap.

Example:

diagnose test authserver radius  RADIUS_SERVER pap user1 password

If the RADIUS server name has a space in its name then the server name should be enclosed in '" "'.For Example: if the server name is MAHB RADIUS then the syntax will be as below:

   diagnose test authserver radius "MAHB RADIUS" pap user1 password

From v7.6.0, RADIUS has the option to configure the 'source-ip-interface' to overcome the challenges of dynamic IP address change.

Refer to the below doc for more information:

Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations

Advanced troubleshooting:

To get more information regarding the reasons for authentication failure, use the following CLI commands:

diagnose debug enable
diagnose debug application fnbamd 255

To stop this debug type:

diagnose debug application fnbamd 0

And then run a RADIUS authentication test:

diag test authserver radius RADIUS_SERVER  pap user1 password

Note: For user password configuration, RADIUS version 1.0 (RFC 2138) limits authentication to up to 16 characters.

If the user password is more than 16 Characters, RADIUS user authentication will not work.

To use a password longer than 16 characters for users, use RADIUS version 2.0 (RFC 2865).

Advanced troubleshooting:

diag test authserver radius FAC_RADUIS pap user1 Password
handle_req-Rcvd auth req 237264669 for user1 in FAC_RADUIS opt=0000001d prot=0
compose_group_list_from_req-Group 'FAC_RADUIS'
fnbamd_pop3_start-user1
fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FAC_RADUIS'
fnbamd_create_radius_socket-Opened radius socket 15
fnbamd_create_radius_socket-Opened radius socket 16
fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_rad_dns_cb-192.168.1.99
fnbamd_rad_send-Sent radius req to server 'FAC_RADUIS': fd=15, IP=192.168.1.99(192.168.1.99:1812) code=1 id=164 len=91 u="user1" using Pap            <- Username and authentication scheme.
radius_server_auth-Timer of rad 'FAC_RADUIS' is added
create_auth_session-Total 1 server(s) to try
fnbamd_auth_handle_radius_result-Timer of rad 'FAC_RADUIS' is deleted
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val AdminGroup
fnbamd_auth_handle_radius_result-->result for radius svr 'FAC_RADUIS' 192.168.1.99(1) is 0                                                                        <- 0: authentication  success; 1: authentication failed.

authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=237264669 session_timeout=0 secs idle_timeou secs!
Group membership(s) - AdminGroup

RADIUS response codes in the Fnbamd Debug:

0: Success
1: Deny
2: Challenged (password renewal or token is needed)
3: unknown
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.

Here, it is also possible to see usual (error) mschapv2 codes:

646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

If packet capture is performed using (diag sniffer packet any "host x.x.x.x" 6 0 a) or Wireshark, refer to the following RADIUS codes: