Troubleshooting tip : Tracing Radius accounting logs on Collector Agent debug logs for FSSO CA via Radius Accounting setups

Anonymous · ‎11-28-2021

Description

This article describes tips regarding tracing radius account start and stop messages in the debug log file of collector agent.

How to distinguish between start and stop messages for troubleshooting and visibility reasons.

Scope

Scope of this article is related to FSSO setups when CA will use Radius accounting start and stop messages as a source event to enable single sign on for users .

Topology will be:

Radius Server ---> Collector Agent --->FortiGate

FGT 6.0/ 6.2/6.4

FSSO CA 5.0297 / 5.0301

#https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso#RADIUS

Solution

1) Radius Server will send accounting start and stop meesages to the FSSO Collector Agent.

2)Collector Agent will parse Radius messages, and will register logons. A start message will denote a login event, whilst a stop message a logout event for the user.

3)Collector Agent will update accordingly the FortiGate for any changes related to the user login /logout events , so FortiGate can have an updated database of authenticated and unathenticated users .

- Q:How should Start accounting messages look on collector agent debug logs

+Accounting start messages should appear in CA logs as :

1 1/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...} --->value 1 is associated with Start . This is is the same '1' value that it is found in the start packet capture from the Radius accounting source.

+Accounting start has 5 attributes.

11/27/2021 12:03:14 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=67
11/27/2021 12:03:14 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=175, Length=67, Auth={C4 1F 2C ... AF 35}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...}
11/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 31, Length= 9, Value={66 67 35 33 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 12, Value={4F 50 53 5F ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 14, Value={56 4D 77 61 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]---- 5 Attribute(s) 47 bytes ----

+Start messages on a packet capture

- Q:How should stop acounting messages look on collector agent debug logs

+Accounting stop messages should appear in CA logs as :

[D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}----> value '2 ' is associated with Stop . This is is the same '2' value that it is found in the stop packet capture from the Radius accounting source

+Accounting stop has 2 attributes

11/27/2021 12:03:52 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=32
11/27/2021 12:03:52 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=178, Length=32, Auth={1E C7 76 ... 6F A2}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}
10/25/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]---- 2 Attribute(s) 12 bytes --

+Stop messages on a packet capture