FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ethomollari
Staff
Staff
Description

This article describes tips regarding tracing radius account start and stop messages in the debug log file of collector agent.

 

How to distinguish between start and stop messages for troubleshooting and visibility reasons.

Scope

Scope of this article is related to FSSO setups when CA will use Radius accounting start and stop messages as a source event to enable single sign on for users  .

 

Topology will be:

Radius Server ---> Collector Agent --->FortiGate 

 

FGT 6.0/ 6.2/6.4

FSSO CA 5.0297 / 5.0301

 

#https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso#RADIUS

Solution

1) Radius Server will send accounting start and stop meesages to the FSSO Collector Agent.

 

2)Collector Agent will parse Radius messages, and will register logons. A start message will denote a login event, whilst a stop message a logout event for the user.

 

3)Collector Agent will update accordingly the FortiGate for any changes related to the user login /logout events , so FortiGate can have an updated database of authenticated and unathenticated users .

 

- Q:How should Start accounting messages look on collector agent debug logs 

+Accounting start messages  should appear in CA logs as :

 

1 1/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...} --->value 1 is associated with Start . This is is the same '1' value that it is found in the start packet capture from the Radius accounting source.

 

+Accounting start  has 5 attributes.

 

11/27/2021 12:03:14 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=67
11/27/2021 12:03:14 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=175, Length=67, Auth={C4 1F 2C ... AF 35}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...}
11/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 31, Length= 9, Value={66 67 35 33 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 12, Value={4F 50 53 5F ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 14, Value={56 4D 77 61 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]---- 5 Attribute(s) 47 bytes ----

+Start messages on a packet capture

 

ethomollari_0-1638111683369.png

 

 

- Q:How should stop acounting messages look on collector agent debug logs 

+Accounting stop messages should appear in CA logs as :

[D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}----> value '2 ' is associated with Stop . This is is the same '2' value that it is found in the stop packet capture from the Radius accounting source 

 

+Accounting stop has 2 attributes


11/27/2021 12:03:52 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=32
11/27/2021 12:03:52 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=178, Length=32, Auth={1E C7 76 ... 6F A2}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}
10/25/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]---- 2 Attribute(s) 12 bytes --

 

+Stop messages on a packet capture 

 

ethomollari_1-1638111959668.png

 

Related articles

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RSSO-issue/ta-p/197897 

 

https://tools.ietf.org/html/rfc2866#section-5.5