Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff

Created on ‎04-12-2020 11:47 PM

Article Id 196263

Troubleshooting Tip: Radius authentication with Azure Multifactor

Description
This article describes how to troubleshoot Radius two factors authentication and the extraction of Radius group attribute value for SSL VPN users.

Solution
Debug commands for troubleshooting.
# diag debug reset
# diag debug application fnbamd -1
# diag debug application sslvpn -1
# diag debug enable
Once the authentication is verified, disable the logs.
# diag debug disable
This below debugs are a sample of radius authentication with Azure Multifactor using authentication code and push notification.

Debug sample when user does not match the correct group.
[1305] fnbamd_rad_dns_cb-172.20.30.150-->172.20.30.150
[1280] __fnbamd_rad_send-Sent radius req to server 'RadiusAuth': fd=15, IP=172.20.30.150(172.20.30.150:1812) code=1 id=109 len=149 user="name " using PAP
[282] radius_server_auth-Timer of rad 'RadiusAuth' is added
[556] create_auth_session-Total 1 server(s) to try
[2503] fnbamd_auth_handle_radius_result-Timer of rad 'RadiusAuth' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11                                                                      <----- In packet capture you can find the Access Challenge request to enter the Microsoft Verification code.
[2529] fnbamd_auth_handle_radius_result-->Result for radius svr 'RadiusAuth' 172.20.30.150(1) is 2
[182] fnbamd_comm_send_result-Sending result 2 (error 0, nid 0) for req 455441835
[1271] freeze_auth_session-
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1280] __fnbamd_rad_send-Sent radius req to server 'RadiusAuth': fd=15, IP=172.20.30.150(172.20.30.150:1812) code=1 id=110 len=187 user="name" using PAP
[2342] send_radius_challenge_rsp-Timer of rad 'RadiusAuth' is added
[2503] fnbamd_auth_handle_radius_result-Timer of rad 'RadiusAuth' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2                                                       <----- Find the access accept with response code 2.
[2529] fnbamd_auth_handle_radius_result-->Result for radius svr 'RadiusAuth' 172.20.30.150(1) is 0
[2459] fnbamd_radius_group_match-Skipping group matching
[984] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 455441835
[710] destroy_auth_session-delete session 455441835
[253:root:1aa]Auth failed due to group restrictions   
[253:root:1aa]fam_auth_send_req:575 with server blacklist: #RadiusAuth
[253:root:1aa]fam_auth_send_req:695 task finished with 5
[253:root:1aa]sslvpn_authenticate_user:169 authenticate user: [name]
[253:root:1aa]login_failed:330 user[name],auth_type=2 failed [sslvpn_login_unknown_user]                        <----- authentication getting failed since we didn't receive radius group attribute extracted from server.
[252:root:1aa]sslvpn_read_request_common,639, ret=-1 error=-1, sconn=0x7fcc38619c00.
[252:root:1aa]Destroy sconn 0x7fcc38619c00, connSize=0. (root)
Even though, find the radius server sending access accepted since it does not extract the radius group attribute value the authentication getting failed.

Debug sample for user matching the group and successful login.
[254:root:1ab]sslvpn_authenticate_user:169 authenticate user: [name]
[254:root:1ab]sslvpn_authenticate_user:176 create fam state
[254:root:1ab]fam_auth_send_req:575 with server blacklist:
[254:root:1ab]fam_auth_send_req_internal:453 fnbam_auth return: 4
[2245] handle_req-Rcvd auth req 455441874 for name in VPNgroup opt=00000500 prot=10
[397] __compose_group_list_from_req-Group 'VPNgroup'
[614] fnbamd_pop3_start-name
[607] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'RadiusAuth' for usergroup 'VPNgroup' (5)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1305] fnbamd_rad_dns_cb-172.20.30.150->172.20.30.150
[1280] __fnbamd_rad_send-Sent radius req to server 'RadiusAuth': fd=15, IP=172.20.30.150(172.20.30.150:1812) code=1 id=111 len=149 user="name" using PAP
[282] radius_server_auth-Timer of rad 'RadiusAuth' is added
[1780] cert_check_group_list-checking group type 6 group name ''
[1945] fnbamd_auth_cert_check_status-match any specified, treat as succeed
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 672) for req 455441875
[2503] fnbamd_auth_handle_radius_result-Timer of rad 'RadiusAuth' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[305] extract_success_vsas-FORTINET attr, type 1, val RemoteVPNgroup
[254:root:1ab]Auth successful for group VPNgroup                           <----- Authentication successful by matching the right group name and we could see the extraction of radius group attribute.
[2685] handle_req-Rcvd 7 req
[254:root:1ab]fam_do_cb:548 fnbamd return auth success.
SSL VPN login matched rule (1).

Related Articles

Technical Tip: Radius authentication troubleshooting

5378
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.