Troubleshooting Tip: Debugging RADIUS Change of Authorization (CoA)

wmichael · ‎03-17-2025

Description

This article describes how to debug RADIUS CoA on FortiGate with an example of log messages for Disconnect-ACK and Disconnect-NAK.

Scope

FortiGate.

Solution

To debug the RADIUS CoA messages, the following commands are used:

diag debug console timestamp enable

diag debug app radius-das 255

diag debug enable

To disable the debug:

diag debug disable

diag debug reset

In response to receiving a CoA, FortiGate will reply with either a Disconnect-ACK or Disconnect-NAK. For more information about RADIUS responses, see Technical Tip: RADIUS error codes.

This example log message is of a Disconnect-ACK. The FortiGate received a CoA Disconnect-Request message from RADIUS-SVR 10.200.200.10 with the Attribute Value Pairs (AVPs) Framed-IP-Address, User-Name, and Event-Timestamp. The FortiGate replied with Disconnect-ACK after disconnecting the user.

2025-03-12 13:07:39 32628.839 2025-03-12 13:07:39 DAS: Received 48 bytes from 10.200.200.10:55302

2025-03-12 13:07:39 32628.840 2025-03-12 13:07:39 RADIUS message: code=40 (Disconnect-Request) identifier=238 length=48

2025-03-12 13:07:39 Attribute 8 (Framed-IP-Address) length=6 pos 0xa5a0f46

2025-03-12 13:07:39 Value: 192.168.200.15

2025-03-12 13:07:39 Attribute 1 (User-Name) length=16 pos 0xa5a0f4c

2025-03-12 13:07:39 Value: 'user1@example.com'

2025-03-12 13:07:39 Attribute 55 (Event-Timestamp) length=6 pos 0xa5a0f5c

2025-03-12 13:07:39 Value: 1741784857

2025-03-12 13:07:39 32628.840 2025-03-12 13:07:39 DAS: received msg with hdr_code 40

2025-03-12 13:07:39 32628.840 2025-03-12 13:07:39 DAS: No Message-Authenticator attribute found

2025-03-12 13:07:39 32628.840 2025-03-12 13:07:39 DAS: select framed_ip 192.168.200.15

2025-03-12 13:07:39 32628.841 2025-03-12 13:07:39 DAS: select user_name user1@example.com'

2025-03-12 13:07:39 32628.841 2025-03-12 13:07:39 DAS: set ipv4 shaper for user user1@example.com (192.168.200.15: max-up=0, max-down=0 from 'RADIUS-SVR'

2025-03-12 13:07:39 32628.841 2025-03-12 13:07:39 DAS: -1 sslvpn session(s) deleted.

2025-03-12 13:07:39 32628.932 2025-03-12 13:07:39 DAS: 1 auth session(s) deleted.

(output omitted)

2025-03-12 13:07:39 32628.952 2025-03-12 13:07:39 DAS: Get coa event result 2 with req_num 12

2025-03-12 13:07:41 32630.958 2025-03-12 13:07:41 DAS: Reply ACK to 10.200.200.10:55302

2025-03-12 13:07:41 32630.958 2025-03-12 13:07:41 RADIUS message: code=41 (Disconnect-ACK) identifier=238 length=44

2025-03-12 13:07:41 Attribute 55 (Event-Timestamp) length=6 pos 0xa5a2d26

2025-03-12 13:07:41 Value: 1741784859

2025-03-12 13:07:41 Attribute 80 (Message-Authenticator) length=18 pos 0xa5a2d2c

2025-03-12 13:07:41 32630.959 2025-03-12 13:07:41 Value: - hexdump(len=16):

2025-03-12 13:07:41 C6 37 CC E6 CA 99 61 DC 45 56 79 43 11 F9 84 B4 .7....a.EVyC....

This example log message is of a Disconnect-NAK. FortiGate received a CoA Disconnect-Request message from RADIUS-SVR 10.200.200.10 with the AVPs Framed-IP-Address, User-Name, and Event-Timestamp. There was no user auth session in this case, so FortiGate replied with Disconnect-NAK with an AVP Error-Cause Value: 503, Session Context Not Found.

For more information about CoA error codes see: RADIUS change of authorization (CoA) - FortiSwitch administration guide.

2025-03-12 13:10:29 32798.039 2025-03-12 13:10:29 DAS: Received 48 bytes from 10.200.200.10:53199

2025-03-12 13:10:29 32798.039 2025-03-12 13:10:29 RADIUS message: code=40 (Disconnect-Request) identifier=4 length=48

2025-03-12 13:10:29 Attribute 8 (Framed-IP-Address) length=6 pos 0xa5a17c6

2025-03-12 13:10:29 Value: 192.168.200.15

2025-03-12 13:10:29 Attribute 1 (User-Name) length=16 pos 0xa5a17cc

2025-03-12 13:10:29 Value: 'user1@example.com'

2025-03-12 13:10:29 Attribute 55 (Event-Timestamp) length=6 pos 0xa5a17dc

2025-03-12 13:10:29 Value: 1741785026

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: received msg with hdr_code 40

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: No Message-Authenticator attribute found

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: select framed_ip 192.168.200.15

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: select user_name user1@example.com

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: set ipv4 shaper for user user1@example.com (192.168.200.15): max-up=0, max-down=0

from 'RADIUS-SVR'

2025-03-12 13:10:29 32798.040 2025-03-12 13:10:29 DAS: -1 sslvpn session(s) deleted.

2025-03-12 13:10:29 32798.041 2025-03-12 13:10:29 DAS: 0 auth session(s) deleted.

2025-03-12 13:10:29 32798.041 2025-03-12 13:10:29 DAS: No Message-Authenticator attribute found

(output omitted)

2025-03-12 13:10:29 32798.056 2025-03-12 13:10:29 DAS: Get coa event result 2 with req_num 13

2025-03-12 13:10:31 32800.068 2025-03-12 13:10:31 DAS: Reply NAK to 10.200.200.10:53199

2025-03-12 13:10:31 32800.068 2025-03-12 13:10:31 RADIUS message: code=42 (Disconnect-NAK) identifier=4 length=50

2025-03-12 13:10:31 Attribute 101 (Error-Cause) length=6 pos 0xa5a2d26

2025-03-12 13:10:31 Value: 503

2025-03-12 13:10:31 Attribute 55 (Event-Timestamp) length=6 pos 0xa5a2d2c

2025-03-12 13:10:31 Value: 1741785029

2025-03-12 13:10:31 Attribute 80 (Message-Authenticator) length=18 pos 0xa5a2d32

2025-03-12 13:10:31 32800.069 2025-03-12 13:10:31 Value: - hexdump(len=16):

2025-03-12 13:10:31 0D C7 0E 48 FD 16 57 DC F5 A8 67 18 4D CE 7E C3 ...H..W...g.M.~.

For more information about RADIUS AVPs and VSAs, see RADIUS AVPs and VSAs - FortiGate administration guide.

Related articles:

Troubleshooting Tip: Debugging RADIUS Change of Authorization (CoA)

You are leaving our website