This article describes some basic troubleshooting of RADIUS over TLS (RADSEC) in the RADIUS over TLS in FortiGate.
FortiGate 7.4 and above.
Below is the configuration on the FortiGate to enable Radius over TLS (RADSEC):
config user radius
edit "FAC"
set server "fac.example.com"
set secret ENC +TxEMrLUDsM+RtnLOhNte3brXzgmXgeRLkm6vdpPAJhOO2UpljS4YmnymnpscmAMk9y26cT+hdgRDuo3KeyunYwqO4yLwxOCBvma+pqOFi7mogDObAyDEphlsiYzygsNQe4Njd/N+Qe27RXcxFO7OEURS0IW0faR/DwH0P6MqHVwuLo/YpNMiPCD+YDqIKcNNK+xk7==
set radius-port 2083
set auth-type pap
set transport-protocol tls <-----
next
end
When the radius over TLS(RADSEC) is enabled:
exec telnet x.x.x.x 2083
Note: x.x.x.x is the IP address of the server.
2. Once the connectivity is verified, it can be possible to see 'Error checking RADIUS connectivity'.
tachyon-kvm36 # [1729] handle_req-Rcvd auth req 652312454 for test01 in opt=0100000d prot=0
[457] __compose_group_list_from_req-Group '', type 1
[51] radius_start-eap_local=0
[885] fnbamd_cfg_get_radius_list-
[369] fnbamd_rad_new-10.14.1.55
[171] __init_rad_setting-Preping auth servers.
[154] __rad_server_push-Inserted rad server '10.14.1.55'. <<<<<< my server is configured with IP 10.14.1.55 instead of FQDN.
[373] fnbamd_rad_new-10.14.1.55 created
[907] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[925] fnbamd_rad_get_auth_server-
[2378] fnbamd_create_ssl_ctx-SSL CTX is created.
[306] __rad_create_ssl_ctx-SSL CTX is created for rad server 10.14.1.55.
[296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[976] __auth_ctx_svr_push-Added addr 10.14.1.55:2083 from rad '10.14.1.55'
[815] __fnbamd_rad_get_next_addr-Next available address of rad '10.14.1.55': 10.14.1.55:2083.
[994] __auth_ctx_start-Connection starts 10.14.1.55:10.14.1.55, addr 10.14.1.55:2083 proto: TCP over TLS <<<<< connection to server on port 2083 is initiated.
[446] __rad_tcps_open-vfid 0, addr 10.14.1.55, src_ip (null), ssl_opt 1284
[478] __rad_tcps_open-Server identity check is enabled. <<<<<<<<<< firewall verified that server identity check is enabled
[492] __rad_tcps_open-Still connecting 10.14.1.55.
[508] __rad_tcps_open-Start rad conn timer.
[830] __rad_start_conn-Socket 11 is created for rad '10.14.1.55'.
[701] __rad_add_job_timer-
[616] fnbamd_pop3_start-test01
[618] create_auth_session-Total 1 server(s) to try
[1780] handle_req-r=4
[2309] __verify_cb-Cert error 64, IP address mismatch. Depth 0. Subject '/CN=fac.example.com' <<<<<< firewall after receiving the cert, verified that IP configured on firewall for Radius is different to the CN received in the cert, in the cert we have received the FQDN fac.example.com.
[404] __rad_tcps_connect-tcps_connect(10.14.1.55) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed). <----- Firewall generates and error certificate verify failed as the CN mismatch.
[907] __rad_error-Ret 5, st = 0.
[296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
tachyon-kvm36 # config user radius
tachyon-kvm36 (radius) # edit FAC
tachyon-kvm36 (FAC) # set server-identity-check disable <----- Set this setting to disable.
tachyon-kvm36 (FAC) # end
tachyon-kvm36 # [1729] handle_req-Rcvd auth req 652312455 for test01 in opt=0100000d prot=0
[457] __compose_group_list_from_req-Group '', type 1
[51] radius_start-eap_local=0
[885] fnbamd_cfg_get_radius_list-
[369] fnbamd_rad_new-10.14.1.55
[171] __init_rad_setting-Preping auth servers.
[154] __rad_server_push-Inserted rad server '10.14.1.55'.
[373] fnbamd_rad_new-10.14.1.55 created
[907] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[925] fnbamd_rad_get_auth_server-
[2378] fnbamd_create_ssl_ctx-SSL CTX is created.
[306] __rad_create_ssl_ctx-SSL CTX is created for rad server 10.14.1.55.
[296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[976] __auth_ctx_svr_push-Added addr 10.14.1.55:2083 from rad '10.14.1.55'
[815] __fnbamd_rad_get_next_addr-Next available address of rad '10.14.1.55': 10.14.1.55:2083.
[994] __auth_ctx_start-Connection starts 10.14.1.55:10.14.1.55, addr 10.14.1.55:2083 proto: TCP over TLS <----- Connection to server on port 2083 is initiated.
[446] __rad_tcps_open-vfid 0, addr 10.14.1.55, src_ip (null), ssl_opt 1284
[492] __rad_tcps_open-Still connecting 10.14.1.55.
[508] __rad_tcps_open-Start rad conn timer.
[830] __rad_start_conn-Socket 11 is created for rad '10.14.1.55'.
[701] __rad_add_job_timer-
[616] fnbamd_pop3_start-test01
[618] create_auth_session-Total 1 server(s) to try
[1780] handle_req-r=4
[415] __rad_tcps_connect-tcps_connect(10.14.1.55) is established. <----- Connection established to the RADIUS on port 2083 without any cert error.
tachyon-kvm36 # [1729] handle_req-Rcvd auth req 652312476 for test01 in opt=0100000d prot=0
[457] __compose_group_list_from_req-Group '', type 1
[51] radius_start-eap_local=0
[885] fnbamd_cfg_get_radius_list-
[369] fnbamd_rad_new-fac.example.com
[171] __init_rad_setting-Preping auth servers.
[154] __rad_server_push-Inserted rad server 'fac.example.com'.
[373] fnbamd_rad_new-fac.example.com created
[907] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[925] fnbamd_rad_get_auth_server-
[2378] fnbamd_create_ssl_ctx-SSL CTX is created.
[306] __rad_create_ssl_ctx-SSL CTX is created for rad server fac.example.com.
[296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x3c 'fac.example.com'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x203c 'fac.example.com'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[1067] fnbamd_rad_auth_ctx_init-Start rad conn timer.
[701] __rad_add_job_timer-
[616] fnbamd_pop3_start-test01
[618] create_auth_session-Total 1 server(s) to try
[1780] handle_req-r=4
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x3c
[306] fnbamd_dns_parse_resp-req 0x3c: 10.14.1.55
[1020] __fnbamd_rad_dns_cb-Resolved fac.example.com:fac.example.com to 10.14.1.55, cur stack size:-1
[976] __auth_ctx_svr_push-Added addr 10.14.1.55:2083 from rad 'fac.example.com'
[815] __fnbamd_rad_get_next_addr-Next available address of rad 'fac.example.com': 10.14.1.55:2083.
[994] __auth_ctx_start-Connection starts fac.example.com:fac.example.com, addr 10.14.1.55:2083 proto: TCP over TLS
[446] __rad_tcps_open-vfid 0, addr 10.14.1.55, src_ip (null), ssl_opt 1284
[492] __rad_tcps_open-Still connecting 10.14.1.55.
[508] __rad_tcps_open-Start rad conn timer.
[830] __rad_start_conn-Socket 11 is created for rad 'fac.example.com'.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x203c
[266] fnbamd_dns_parse_resp-req 0x3c: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x3c (0x10240e98) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1020] __fnbamd_rad_dns_cb-Resolved fac.example.com:fac.example.com to ::, cur stack size:0
[982] __auth_ctx_svr_push-Failed to add addr fac.example.com from rad 'fac.example.com'
[2309] __verify_cb-Cert error 19, self-signed certificate in certificate chain. Depth 1. Subject '/CN=example.com' <<< self-signed certificate chain error, my server sends the cert and root, however firewall do not have the root for example.com which signed the fac.example.com.
[404] __rad_tcps_connect-tcps_connect(10.14.1.55) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
[907] __rad_error-Ret 5, st = 0.
[296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
PUTTY 1:
diagnose sniffer packet any 'host x.x.x.x and port 2083' 6 0 l
PUTTY 2:
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable
Once the above commands are run in the putty sessions accordingly, test the connectivity, and once an error is seen, stop the debugs:
PUTTY 1:
CTRL+C
PUTTY 2:
diagnose debug disable
diagnose debug reset
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.