Description

Solution

Some useful information can be gathered as to what is going wrong with TACACS+ authentication by running the commands provided below.

It is usually advised to have two different SSH sessions for the FGT and collect the packet sniffer along with the debugs.

SSH Session 1:.

diagnose sniffer packet any ‘host x.x.x.x and port 49’ 6 0 a

Or

diagnose sniffer packet any ‘host x.x.x.x’ 6 0 a           <- x.x.x.x needs to be replaced with the IP address of TACACS+ server.

SSH Session 2.

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable

The issue can then be replicated and useful information will be displayed in the debugs.

Also, one can use the FortiGate CLI to directly test the user credentials.

diagnose test authserver tacacs+ <servername> <username> <password>

'OK' output shows as:

authenticate user '<user-test' on server 'tacacs-test' succeeded

In some cases, an fnbamd process crash impacts all authentication-related functions until the process restarts automatically. While the process is down, authentication requests fail.

To verify whether the fnbamd process has crashed, use:

diagnose debug crashlog read

If multiple crash logs are present, the grep argument can filter the output:

diagnose debug crashlog read | grep fnbamd

After a crash or process issue, the fnbamd process typically restarts automatically. In some situations, such as software bugs or memory issues, the process may not restart.

The process status can be checked with:

diagnose sys process pidof fnbamd

If the service is running, this command displays the process ID.