Created on
12-31-2004
12:00 AM
Edited on
01-06-2025
12:27 AM
By
Jean-Philippe_P
Description
This article describes how to test a FortiGate user authentication to the RADIUS server.
Scope
FortiGate.
Solution
The CLI of the FortiGate includes an authentication test command:
diagnose test authserver radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>
Run this test command as soon as the RADIUS server configuration is complete.
It does not require the FortiGate configuration to contain a user group or firewall policy.
If there are no issues with the RADIUS server configuration or user credentials, the RADIUS server returns an authentication confirmation and a list of the user groups for that user.
For example (command outputs from FortiOS v7.2):
diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.
diagnose debug enable
diagnose test authserver radius radserver1 pap raduser1 password123
[1909] handle_req-Rcvd auth req 1190820099 for raduser1 in radserver1 opt=0100001d prot=0
[489] __compose_group_list_from_req-Group 'radserver1', type 1
[616] fnbamd_pop3_start-raduser1
[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'radserver1'
[342] fnbamd_create_radius_socket-Opened radius socket 10
[342] fnbamd_create_radius_socket-Opened radius socket 11
[1476] fnbamd_radius_auth_send-Compose RADIUS request
[1433] fnbamd_rad_dns_cb-10.5.56.169->10.5.56.169
[1405] __fnbamd_rad_send-Sent radius req to server 'radserver1': fd=10, IP=10.5.56.169(10.5.56.169:1812) code=1 id=1 len=97 user="raduser1" using PAP <- Username and scheme.
[319] radius_server_auth-Timer of rad 'radserver1' is added
[652] create_auth_session-Total 1 server(s) to try
[1950] handle_req-r=4
[1522] fnbamd_auth_handle_radius_result-Timer of rad 'radserver1' is deleted
[1890] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 <- 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge.
[323] extract_success_vsas-FORTINET attr, type 1, val radgroup1 <- RADIUS attributes.
[1548] fnbamd_auth_handle_radius_result-->Result for radius svr 'radserver1' 10.5.56.169(1) is 0 <- 0=Authentication successful, 1=Authentication failed.
[281] find_matched_usr_grps-Skipped group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1190820099, len=2551
authenticate 'raduser1' against 'pap' succeeded, server=primary assigned_rad_session_id=1190820099 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - radgroup1
In case there are no debugs, verify the connectivity by using the below command:
Try pinging the RADIUS server:
execute ping a.b.c.d -> a.b.c.d is the server ip
The packet sniffer can be performed to verify, that traffic is going out on the correct interface:
Related articles: