Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎12-31-2004 12:00 AM Edited on ‎06-07-2023 02:20 AM By Moderator

Article Id 198406

Troubleshooting Tip: How to test a FortiGate user authentication to RADIUS server

Description


This article describes how to test a FortiGate user authentication to the RADIUS server.

 

Scope

 

FortiGate.

 

Solution


The CLI of the FortiGate includes an authentication test command:

 

diagnose  test  authserver  radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>

 

Run this test command as soon as the Radius server configuration is completed.
It does not require the FortiGate configuration to contain a user group or firewall policy.
If there are no issues with the Radius server configuration or user credentials, the Radius server returns an authentication confirmation and a list of the user group for that user.

For example (command outputs from FortiOS 6.2):

 

diagnose debug application fnbamd -1
diagnose debug enable
diagnose  test  authserver  radius WIN16 mschap2 radiususer1 P@$$w0rd1
[2274] handle_req-Rcvd auth req 457812035 for radiususer1 in WIN16 opt=0000001d prot=4
[398] __compose_group_list_from_req-Group 'WIN16'
[614] fnbamd_pop3_start-radiususer1
[540] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'WIN16'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.216->172.16.190.216
[1284] __fnbamd_rad_send-Sent radius req to server 'WIN16': fd=15, IP=172.16.190.216(172.16.190.216:1812) code=1 id=95 len=157 user="radiususer1" using MS-CHAPv2      <- Username and scheme.
[282] radius_server_auth-Timer of rad 'WIN16' is added
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'WIN16' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 >>> 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge

[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup         <- Radius attributes.
[2432] fnbamd_auth_handle_radius_result     <- Result for radius svr 'WIN16' 172.16.190.216(1) is 0 >>> 0=Authetication successful, 1=Authentication failed.
[2362] fnbamd_radius_group_match-Skipping group matching
[986] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 457812035
authenticate 'radiususer1' against 'mschap2' succeeded, server=primary assigned_rad_session_id=457812035 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s)radiusgroup

 

Related Articles:

Technical Note: Troubleshooting FortiOS authentication issues

47524
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.