Description
This article describes how to solve most common problems with RADIUS.
Scope
FortiGate, RADIUS.
Solution
To test the RADIUS object and see if this is working properly, use the following CLI command:
diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>
Note:
<RADIUS server_name> <- Name of RADIUS object on FortiGate.
The authentication scheme could be one of the following: Pap, Chap, mschapv2, mschap.
Example:
diagnose test authserver radius RADIUS_SERVER pap user1 password
Advanced troubleshooting:
To get more information regarding the reasons for authentication failure, use the following CLI commands:
diagnose debug enable
diagnose debug application fnbamd 255
To stop this debug type:
diagnose debug application fnbamd 0
And then run a RADIUS authentication test:
diag test authserver radius RADIUS_SERVER pap user1 password
Note: For user password configuration, RADIUS version 1.0 (RFC 2138) limits authentication up to 16 characters.
If the user password is more than 16 Characters, RADIUS user authentication will not work.
To use a password longer than 16 characters for users, use RADIUS version 2.0 (RFC 2865).
Advanced troubleshooting:
diag test authserver radius FAC_RADUIS pap user1 Password
handle_req-Rcvd auth req 237264669 for user1 in FAC_RADUIS opt=0000001d prot=0
compose_group_list_from_req-Group 'FAC_RADUIS'
fnbamd_pop3_start-user1
fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FAC_RADUIS'
fnbamd_create_radius_socket-Opened radius socket 15
fnbamd_create_radius_socket-Opened radius socket 16
fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_rad_dns_cb-192.168.1.99
fnbamd_rad_send-Sent radius req to server 'FAC_RADUIS': fd=15, IP=192.168.1.99(192.168.1.99:1812) code=1 id=164 len=91 u="user1" using Pap <- Username and authentication scheme.
radius_server_auth-Timer of rad 'FAC_RADUIS' is added
create_auth_session-Total 1 server(s) to try
fnbamd_auth_handle_radius_result-Timer of rad 'FAC_RADUIS' is deleted
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val AdminGroup
fnbamd_auth_handle_radius_result-->result for radius svr 'FAC_RADUIS' 192.168.1.99(1) is 0 <- 0: authentication success; 1: authentication failed.
authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=237264669 session_timeout=0 secs idle_timeou secs!
Group membership(s) - AdminGroup
RADIUS response codes in the Fnbamd Debug:
0: Success
1: Deny
2: Challenged (password renewal or token is needed)
3: unknown
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.
Here, it is also possible to see usual (error) mschapv2 codes:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD
If packet capture is performed using (diag sniffer packet any "host x.x.x.x" 6 0 a) or Wireshark, refer to the following RADIUS codes:
| Code |
Assignment |
| 1 |
Access-Request |
| 2 |
Access-Accept |
| 3 |
Access-Reject |
| 4 |
Accounting-Request |
| 5 |
Accounting-Response |
| 11 |
Access-Challenge |
| 12 |
Status-Server (experimental) |
| 13 |
Status-Client (experimental) |
| 40 |
Disconnect-Request |
| 41 |
Disconnect-ACK |
| 42 |
Disconnect-NAK |
| 43 |
CoA-Request |
| 44 |
CoA-ACK |
| 45 |
CoA-NAK |
| 255 |
Reserved |
