This article provides tips regarding tracing radius account start and stop messages in the debug log file of the collector agent and how to distinguish between start and stop messages for troubleshooting and visibility reasons.

FSSO setups, when CA will use Radius accounting start and stop messages as a source event to enable single sign-on for users.

Topology will be:

Radius Server ---> Collector Agent --->FortiGate 

FortiGate v6.0/v6.2/v6.4.

FSSO CA 5.0297 / 5.0301

Related document:

Agent-based FSSO

1. Radius Server will send accounting start and stop messages to the FSSO Collector Agent. 
2. The collector Agent will parse Radius messages and will register logons. A start message will denote a login event, whilst a stop message will denote a logout event for the user. 
3. The collector Agent will update the FortiGate accordingly for any changes related to the user login /logout events, so FortiGate can have an updated database of authenticated and unauthenticated users.

How should Start accounting messages look on the collector agent debug logs:

Accounting start messages  should appear in CA logs as:

1 1/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...} --->value 1 is associated with Start . This is is the same '1' value that it is found in the start packet capture from the Radius accounting source.

+Accounting start  has 5 attributes.

11/27/2021 12:03:14 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=67
11/27/2021 12:03:14 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=175, Length=67, Auth={C4 1F 2C ... AF 35}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 01 ...}
11/27/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 31, Length= 9, Value={66 67 35 33 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 12, Value={4F 50 53 5F ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 25, Length= 14, Value={56 4D 77 61 ...}
10/25/2021 12:03:14 [ 2628] [D][ShowAttributes]---- 5 Attribute(s) 47 bytes ----

+Start messages on a packet capture

How should stop accounting messages look on collector agent debug logs:

Accounting stop messages should appear in CA logs as :

[D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}----> value '2 ' is associated with Stop . This is is the same '2' value that it is found in the stop packet capture from the Radius accounting source 

Accounting stop has 2 attributes:

11/27/2021 12:03:52 [ 2628] [D][DumpPacketData]RadiusPacket: data=0000005FD014E950, size=32
11/27/2021 12:03:52 [ 2628] [D][ShowHeaderInfo]RadiusPacket: Code=4, Id=178, Length=32, Auth={1E C7 76 ... 6F A2}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 40, Length= 6, Value={00 00 00 02 ...}
10/25/2021 12:03:52 [ 2628] [D][ShowAttributes]RadiusAttr: Type= 8, Length= 6, Value={0A 03 CB 7E ...}
11/27/2021 12:03:52 [ 2628] [D][ShowAttributes]---- 2 Attribute(s) 12 bytes --

Stop messages on a packet capture 

Related documents:

https://tools.ietf.org/html/rfc2866#section-5.5

Technical Tip: How to use RADIUS test tool to test RADIUS accounting function on FortiGate and FSSO ...