Description
This article describes how to solve most common problems with RADIUS.
Scope
FortiGate, RADIUS.
Solution
To test the RADIUS connection, navigate to FortiGate GUI ---> User & Authentication --> RADIUS Server --> Select the RADIUS Server --> Select 'Test connectivity'
The test should show 'Successful'. The FortiGate will generate its own RADIUS 'Access-Request' packet and send it the RADIUS server. If the FortiGate receives a response (Access-Reject), it will show the connection as successful.
If the connectivity shows as 'Can't contact RADIUS Server', ensure that the RADIUS Access-Request packet is reaching the RADIUS server and the FortiGate is configured as a RADIUS client within the RADIUS policy.
To test the RADIUS authentication and to see if this is working properly, use the following CLI command:
diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>
Note:
<RADIUS server_name> <- Name of RADIUS object on FortiGate.
The authentication scheme could be one of the following: Pap, Chap, mschap2, mschap.
Example:
diagnose test authserver radius RADIUS_SERVER pap user1 password
If the RADIUS server name has a space in its name then the server name should be enclosed in '" "'.For Example: if the server name is MAHB RADIUS then the syntax will be as below:
diagnose test authserver radius "MAHB RADIUS" pap user1 password
From v7.6.0, RADIUS has the option to configure the 'source-ip-interface' to overcome the challenges of dynamic IP address change.
Refer to the below doc for more information: Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations
Advanced troubleshooting:
To get more information regarding the reasons for authentication failure, use the following CLI commands:
diagnose debug enable
diagnose debug application fnbamd 255
To stop this debug type:
diagnose debug application fnbamd 0
And then run a RADIUS authentication test:
diag test authserver radius RADIUS_SERVER pap user1 password
Note:
For user password configuration, RADIUS v1.0 (RFC 2138) limits authentication to up to 16 characters. If the user password is more than 16 Characters, RADIUS user authentication will not work. To use a password longer than 16 characters for users, use RADIUS v2.0 (RFC 2865).
Advanced troubleshooting:
diag test authserver radius FAC_RADUIS pap user1 Password
handle_req-Rcvd auth req 237264669 for user1 in FAC_RADUIS opt=0000001d prot=0
compose_group_list_from_req-Group 'FAC_RADUIS'
fnbamd_pop3_start-user1
fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FAC_RADUIS'
fnbamd_create_radius_socket-Opened radius socket 15
fnbamd_create_radius_socket-Opened radius socket 16
fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_rad_dns_cb-192.168.1.99
fnbamd_rad_send-Sent radius req to server 'FAC_RADUIS': fd=15, IP=192.168.1.99(192.168.1.99:1812) code=1 id=164 len=91 u="user1" using Pap <- Username and authentication scheme.
radius_server_auth-Timer of rad 'FAC_RADUIS' is added
create_auth_session-Total 1 server(s) to try
fnbamd_auth_handle_radius_result-Timer of rad 'FAC_RADUIS' is deleted
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val AdminGroup
fnbamd_auth_handle_radius_result-->result for radius svr 'FAC_RADUIS' 192.168.1.99(1) is 0 <- 0: authentication success; 1: authentication failed.
authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=237264669 session_timeout=0 secs idle_timeou secs!
Group membership(s) - AdminGroup
RADIUS response codes in the Fnbamd Debug:
0: Success
1: Deny
2: Challenged (password renewal or token is needed)
3: unknown
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.
Here, it is also possible to see the usual (error) mschapv2 codes:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD
To validate the reply from the RADIUS server capture sniffer from CLI :
diagnose sniffer packet any "host x.x.x.x" 6 0 a
ctrl+c ---> To stop the sniffer.
x.x.x.x ---> RADIUS server IP.
Sniffer to using the RADIUS port number and server IP address:
diagnose sniffer packet any "host [radius-srv-ip] and port (1812 or 1813)" 6 0 l
ctrl+c ---> To stop the sniffer.
Capture traffic via GUI:
Troubleshooting Tip: Packet Capture on FortiOS GUI
Wireshark, refer to the following RADIUS codes:
| Code | Assignment |
|---|---|
| 1 | Access-Request |
| 2 | Access-Accept |
| 3 | Access-Reject |
| 4 | Accounting-Request |
| 5 | Accounting-Response |
| 11 | Access-Challenge |
| 12 | Status-Server (experimental) |
| 13 | Status-Client (experimental) |
| 40 | Disconnect-Request |
| 41 | Disconnect-ACK |
| 42 | Disconnect-NAK |
| 43 | CoA-Request |
| 44 | CoA-ACK |
| 45 | CoA-NAK |
| 255 | Reserved |
Additional Information: If the RADIUS server is NPS (Windows) then to determine the Radius rejection code 3 (meaning rejected) the audit for RADIUS can be enabled on the NPS server which would give the reason for the rejection.
The steps are as per below:
In the Windows Radius server, check if the audit is enabled.
In the Command Prompt, type the below command:
auditpol /get /subcategory:"Network Policy Server"
The output shows not enabled and to enable it type the below command:
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Once this is done, open Windows Event Viewer and search for Event ID: 6273 and 6274 to view the details for the reason for rejection and all other radius events can be seen as well with their respective event IDs.
