Created on
12-31-2004
12:00 AM
Edited on
06-07-2023
02:20 AM
By
Jean-Philippe_P
Description
This article describes how to test a FortiGate user authentication to the RADIUS server.
Scope
FortiGate.
Solution
The CLI of the FortiGate includes an authentication test command:
diagnose test authserver radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>
Run this test command as soon as the Radius server configuration is completed.
It does not require the FortiGate configuration to contain a user group or firewall policy.
If there are no issues with the Radius server configuration or user credentials, the Radius server returns an authentication confirmation and a list of the user group for that user.
For example (command outputs from FortiOS 6.2):
diagnose debug application fnbamd -1
diagnose debug enable
diagnose test authserver radius WIN16 mschap2 radiususer1 P@$$w0rd1
[2274] handle_req-Rcvd auth req 457812035 for radiususer1 in WIN16 opt=0000001d prot=4
[398] __compose_group_list_from_req-Group 'WIN16'
[614] fnbamd_pop3_start-radiususer1
[540] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'WIN16'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.216->172.16.190.216
[1284] __fnbamd_rad_send-Sent radius req to server 'WIN16': fd=15, IP=172.16.190.216(172.16.190.216:1812) code=1 id=95 len=157 user="radiususer1" using MS-CHAPv2 <- Username and scheme.
[282] radius_server_auth-Timer of rad 'WIN16' is added
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'WIN16' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 >>> 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge
[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup <- Radius attributes.
[2432] fnbamd_auth_handle_radius_result <- Result for radius svr 'WIN16' 172.16.190.216(1) is 0 >>> 0=Authetication successful, 1=Authentication failed.
[2362] fnbamd_radius_group_match-Skipping group matching
[986] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 457812035
authenticate 'radiususer1' against 'mschap2' succeeded, server=primary assigned_rad_session_id=457812035 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) – radiusgroup
Related Articles:
Technical Note: Troubleshooting FortiOS authentication issues
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.