Description
This article describes how to solve the error 'Realm not specified, default goes to FAC local user' for Admin login on FortiSRA when FortiAuthenticator is acting as a RADIUS server.
Scope
FortiSRA, FortiAuthenticator.
Solution
Configuration on FortiAuthenticator:
Step 1:
Add a RADIUS client, navigating to Authentication -> RADIUS Service -> Clients, which is the FortiSRA.
Step 2:
Create a new RADIUS policy. Navigate to RADIUS service -> Policies.
Step 3:
Set the Authentication Types, In this example, this option has been set to 'Password/OTP authentication'.
Step 4:
Navigate to Identity sources, then select the realm format and the usergroup the user is part of.
- Tom is the remote user added to the group called 'TestGrp1' with the realm as 'ldap_ad'.
- Pete is the local user added to group called 'LocalUserRadiusGroup' with the realm as 'local'.
Step 5:
Set Authentication factors and proceed by selecting update and exit.
Configuration on SRA:
Step 1:
Add the RADIUS server, navigate to User Management -> RADIUS Server and ensure that the connection status is 'successful'.
Note the authentication type: CHAP works only with local users on the FortiAuthenticator. For MSCHAPv2, follow Technical Tip: Authenticating users using MSCHAPv2.
Step 2:
Navigate to User Management -> User list to create a user on SRA, selecting the RADIUS server.
Step 3:
It is necessary to create the exact name of the user as mentioned on the FortiAuthenticator for the FortiSRA to phrase the message and forward it to the RADIUS request. When using a realm, it should be supplied accordingly.
In the example, realm 'ldap_ad' is marked as the default realm. The naming on the FortiSRA remains as follows:
On FortiAuthenticator:
On SRA:
If the conditions are switched:
On FortiAuthenticator:
On SRA:
Note:
Make a note of the noticeable changes in the user list when the realm is selected on the FortiAuthenticator. If the userlist does not match the exact format, the error above is shown on the FortiAuthenticator.
To create a realm, refer to Create realm on FortiAuthenticator.
Troubleshooting:
If the RADIUS connectivity fails or any issues are seen with authentication:
- Ensure the secrets are same on both FortiSRA and FortiAuthenticator.
- Start the debugs on both devices by following the below and reciprocating the issue.
Login to FortiAuthenticator https://x.x.x.x/debug
Navigate to Categories -> RADIUS -> Authentication -> Enable Debug Mode -> Enable Detailed Debug Mode.
- Debug commands can be taken as follows on FortiSRA.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug app fnbamd -1
diagnose debug app httpsd -1
diagnose wad debug enable category auth
diagnose wad debug enable level verbose
diagnose debug enable
diagnose debug disable <----- To disable the debug processes after reciprocation.
