Description
Solution
Some useful information can be gathered as to what is going wrong with TACACS+ authentication by running the commands provided below.
It is usually advised to have two different SSH sessions for the FGT and collect the packet sniffer along with the debugs.
SSH Session 1:.
diagnose sniffer packet any ‘host x.x.x.x and port 49’ 6 0 a
Or
diagnose sniffer packet any ‘host x.x.x.x’ 6 0 a <- x.x.x.x needs to be replaced with the IP address of TACACS+ server.
SSH Session 2.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable
The issue can then be replicated and useful information will be displayed in the debugs.
Also, one can use the FortiGate CLI to directly test the user credentials.
diagnose test authserver tacacs+ <servername> <username> <password>
'OK' output shows as:
authenticate user '<user-test' on server 'tacacs-test' succeeded
In some cases, an fnbamd process crash impacts all authentication-related functions until the process restarts automatically. While the process is down, authentication requests fail.
To verify whether the fnbamd process has crashed, use:
diagnose debug crashlog read
If multiple crash logs are present, the grep argument can filter the output:
diagnose debug crashlog read | grep fnbamd
After a crash or process issue, the fnbamd process typically restarts automatically. In some situations, such as software bugs or memory issues, the process may not restart.
The process status can be checked with:
diagnose sys process pidof fnbamd
If the service is running, this command displays the process ID.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.