Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎08-25-2010 05:04 AM Edited on ‎06-04-2025 07:46 AM By Community Manager

Article Id 192767

Troubleshooting Tip: FortiGate admin account with RADIUS authentication and fallback to local password

Description

 

This article explains how to set up a FortiGate in the scenario where a RADIUS server is used to authenticate FortiGate admin users, and a fallback to local backup password is required if the RADIUS server does not respond.

 

Scope

 

FortiGate.


Solution


Note:

This setting requires a local admin account to be created. 
If local accounts should not be used (using only existing accounts on the Radius server), consult the KB article on the field 'Related articles'.

Radius server configuration:

 

config user radius
    edit "FACVM"
        set server "172.16.190.100"
        set secret SUPERSECRETPASSWORD
        set auth-type ms_chap_v2
    next
end

 

User group configuration with the Radius server user group:

 

config user group
    edit "radiusgroup"
        set member "FACVM"
            config match
                edit 1
                    set server-name "FACVM"
                    set group-name "radiusgroup"
                next
            end
    next
end

 

Local admin account configuration with the remote authentication and local backup password:

 

config system admin
    edit "radiusadmin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set remote-group "radiusgroup"
        set password fortinetlocal
    next
end

 

Starting from v7.6, configuring the local backup password requires the current administrator password:

 

FGT (radiusadmin) # set password fortinetlocal
Please enter current administrator password: ********

 

The password is then encrypted:

 

config system admin
    edit "radiusadmin"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set remote-group "radiusgroup"
        set password ENC PB2pkgmrhih4Yj27wmP1LsC7JRYtjkAhBdvVDhJxeAyzkFk98yNz60ZjQQ7JTnc4XUq4FUGS9PGMj9v9SVl6G/TokkyE8M0K0n00QrpmV/mNu4=
    next
end

 

Verification:

  1. When the RADIUS server is up, connect to the FortiGate with 'radiususer1/radiuspassword'; access is granted:

 

diagnose debug application fnbamd -1
diagnose debug enable
# [2274] handle_req-Rcvd auth req 457812065 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=128 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'FACVM' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup
[2432] fnbamd_auth_handle_radius_result                                          <-----Result for radius svr 'FACVM' 172.16.190.100(1) is 0  --> 0=Authetication successful, 1=Authentication failed.
[2356] fnbamd_radius_group_match-Passed group matching
[1031] find_matched_usr_grps-Group 'radiusgroup' passed group matching
[1032] find_matched_usr_grps-Add matched group 'radiusgroup'(10)

 

  1. When the Radius server is down, connect to the FortiGate with 'radiususer1/ radiuspassword'; access is denied

 

diagnose debug application fnbamd -1
diagnose debug enable

# [2274] handle_req-Rcvd auth req 457812067 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
[614] fnbamd_pop3_start-radiususer1
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.100->172.16.190.100
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[282] radius_server_auth-Timer of rad 'FACVM' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[557] create_auth_session-Total 1 server(s) to try
[47] handle_rad_timeout-rad 'FACVM' 172.16.190.100 timed out, resend request.
[1284] __fnbamd_rad_send-Sent radius req to server 'FACVM': fd=15, IP=172.16.190.100(172.16.190.100:1812) code=1 id=130 len=164 user="radiususer1" using MS-CHAPv2
[63] handle_rad_timeout-Timer of rad 'FACVM' is added
[3197] handle_auth_timeout_with_retry-Retry
[396] radius_stop-Timer of rad 'FACVM' is deleted
[1039] fnbamd_auth_retry-svr_type = 2
[608] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FACVM' for usergroup 'radiusgroup' (10)
[341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed

 

  1. When the RADIUS server is unavailable, it is possible to log in to the FortiGate using the credentials 'radiususer1/fortinetlocal'. Upon successful login, access is granted, and the system displays the current time along with a list of administrators who were connected before logging. 'radiususer1/fortinetlocal':

 

execute time
current time is: 16:41:20
last ntp sync:Fri May  30 16:16:18 2025

get sys info admin  status
Index  User name   Login type  From
Logged in users: 3
USERNAME        TYPE    FROM             TIME
admin           https  172.26.228.45     Fri May 30 16:10:18 2025

admin           https  172.26.228.45     Fri May 30 16:24:18 2025

admin           ssh    10.5.28.86        Fri May 30 16:25:11 2025

 

FortiGate will try to authenticate by using the Radius server, and after failure, it will try to use the local backup password:

diagnose debug application fnbamd -1
diagnose debug enabl
# [2274] handle_req-Rcvd auth req 457812070 for radiususer1 in radiusgroup opt=00010001 prot=10
[398] __compose_group_list_from_req-Group 'radiusgroup'
 [341] radius_start-Didn't find radius servers (0)
[3215] handle_auth_timeout_with_retry-retry failed

 

Time and list of connected administrators after connecting with the 'radiususer1/fortinetlocal':

 

execute time
current time is: 16:56:20
last ntp sync:Fri May  30 16:16:18 2025

get sys info admin  status
Index  User name   Login type  From
Logged in users: 4
USERNAME        TYPE    FROM             TIME
admin           https  172.26.228.45     Fri May 30 16:10:18 2025

admin           https  172.26.228.45     Fri May 30 16:24:18 2025

admin           ssh    10.5.28.86        Fri May 30 16:25:11 2025

radiususer1     http    10.5.28.86       Fri May 30 16:53:11 2025

 

Related articles:

Technical Tip: Remote admin login with Radius selecting admin access account profile

Technical Note: FortiGate admin authentication using radius groups fails  

24549
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.