Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎08-30-2024 05:02 AM Edited on ‎05-05-2025 09:59 PM By Community Manager

Article Id 337484

Troubleshooting Tip: Possible reason for RADIUS Reject code 3

Description This article describes a possible reason for the RADIUS server rejecting access. The reason for the response must be investigated on the server.
Scope FortiGate.
Solution
  • Check the connectivity to the RADIUS server was successful.
  • Run the following debug commands and, afterwards, try to test the credentials from the FortiGate GUI:


test-credentials.jpg


Debug commands:

 

diagnose debug reset

diagnose debug console timestamp enable
diagnose debug app fnbamd -1
diagnose debug enable

 

A packet capture will give additional information on what exact detail was sent, and the Access-Reject may contain a reason for the rejection. The example later will show it.

 

The following error will be seen:


[328] __create_access_request-Compose RADIUS request
[589] __create_access_request-Created RADIUS Access-Request. Len: 99.
[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 192.168.30.2:1812, source address is null, protocol number is 17, oif id is 0
[304] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[796] __rad_rxtx-Sent radius req to server '192.168.30.2': fd=10, IP=192.168.30.2(192.168.30.2:1812) code=1 id=11 len=99
[805] __rad_rxtx-Start rad conn timer.
[765] __rad_rxtx-fd 10, state 1(Auth)
[767] __rad_rxtx-Stop rad conn timer.
[808] __rad_rxtx-
[382] __rad_udp_recv-Recved 20 bytes. Buf sz 8192
[1210] fnbamd_rad_validate_pkt-RADIUS resp code 3
[951] __rad_error-Ret 1, st = 1.

 

  • The reason for the negative response is to be searched on the node that gives the response. In this example, the server is a Microsoft Network Policy Server (NPS), which serves as a RADIUS server.
    Connect to the NPS, and navigate to Event Viewer -> Windows Logs -> Security Logs.
  • Filter the logs with event ID [6273] to see the Audit Failure:


RADIUS-Server-Event-Log.png

 

  • Here,  it was denied because of a Network Access Permission error. This is because only a certain group is allowed, of which the user should be a part. In this example, the user group 'fgt-admin' has been granted permissions, but the user 'pki1' is not part of that group:


NP-conditions.png

 

user-properties.jpg
Below is the PCAP stating that access has been rejected from the RADIUS Server:

 

Access-Request Packet:


pcap-access-request.png
Access-Reject Packet:

 

pcap-access-rejectpng.png

 

  • Once the user has been added to that group, test credentials will be successful:


successful-test-credentials.jpg

 

Related article:

Technical Tip: RADIUS error codes
3682
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.