Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
shoh
Staff
Staff

Created on ‎09-16-2025 12:58 AM Edited on ‎09-16-2025 12:59 AM By Moderator

Article Id 410972

Technical Tip: How to Administratively Access FortiSwitch with RADIUS and 2FA

Description This article describes how to administratively access FortiSwitch with RADIUS and 2FA.
Scope FortiSwitch.
Solution

FortiSwitch administration login does not prompt for a token code for RADIUS users who require Two-Factor Authentication (2FA). The login screen shows Invalid credentials, please try again.

 

fsw-login-failed.png

 

Sample FortiAuthenticator RADIUS debug logs:

 

2025-09-10T21:37:10.807814-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: ===>NAS IP:10.56.x.x 
2025-09-10T21:37:10.807892-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: ===>Username:admin.2fa 
2025-09-10T21:37:10.807920-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: ===>Timestamp:1757565430.807904, age:0ms 
2025-09-10T21:37:10.809941-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Found authclient from preloaded 
authclients list for 10.56.x.x: FSW-01 (10.56.x.x) 
2025-09-10T21:37:10.813664-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Found authpolicy 'RADIUS_2FA' for client '10.56.x.x' 
2025-09-10T21:37:10.813697-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Setting 'Auth-Type := FACAUTH'
2025-09-10T21:37:10.814067-07:00 FortiAuthenticator radiusd[28758]: Not doing PAP as Auth-Type is already set.
2025-09-10T21:37:10.814111-07:00 FortiAuthenticator radiusd[28758]: (0) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-09-10T21:37:10.814196-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Client type: external (subtype: radius) 
2025-09-10T21:37:10.814213-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Input raw_username: admin.2fa Realm: 
(null) username: admin.2fa 
2025-09-10T21:37:10.814223-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Searching default realm as well
2025-09-10T21:37:10.814237-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Realm not specified, default goes to FAC local user 
2025-09-10T21:37:10.819956-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Local user found: admin.2fa 
2025-09-10T21:37:10.819995-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: User [enable fido: false, 
token count: 0, revoked_token_count: 0] 
2025-09-10T21:37:10.820028-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Policy [fido_auth_opt: disabled, 
twofactor: allow both, no_fido: two factor, revoked: reject] 
2025-09-10T21:37:10.820050-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Decided on [is_fido: false, 
two_factor: allow both, token_type: Fortitoken] 
2025-09-10T21:37:10.842826-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Partial auth done, challenge for token code 
2025-09-10T21:37:10.842929-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: Sending Access-Challenge.
2025-09-10T21:37:10.843098-07:00 FortiAuthenticator radiusd[28758]: (0) facauth: 
Updated auth log 'admin.2fa' for attempt from 10.56.x.x: Local administrator authentication partially done, expecting FortiToken 
2025-09-10T21:37:10.843175-07:00 FortiAuthenticator radiusd[28758]: (0) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-09-10T21:37:10.843244-07:00 FortiAuthenticator radiusd[28758]:
 (0) Sent Access-Challenge Id 14 from 10.56.y.y:1812 to 10.56.x.x:48304 length 140
2025-09-10T21:37:10.843258-07:00 FortiAuthenticator radiusd[28758]: (0) Message-Authenticator := 0x00
2025-09-10T21:37:10.843272-07:00 FortiAuthenticator radiusd[28758]:
 (0) Reply-Message = "+Enter token code or no code to send a notification to your FortiToken Mobile"
2025-09-10T21:37:10.843282-07:00 FortiAuthenticator radiusd[28758]: (0) Fortinet-FAC-Challenge-Code = "001"
2025-09-10T21:37:10.843291-07:00 FortiAuthenticator radiusd[28758]: (0) State = 0x30303030303030303030
2025-09-10T21:37:11.143826-07:00 FortiAuthenticator radiusd[28758]: Waking up in 29.6 seconds.
2025-09-10T21:37:16.158772-07:00 FortiAuthenticator radiusd[28758]: Waking up in 24.6 seconds.
2025-09-10T21:37:16.158813-07:00 FortiAuthenticator radiusd[28758]: Signalled to terminate
2025-09-10T21:37:16.158826-07:00 FortiAuthenticator radiusd[28758]: Exiting normally

 

Sample FortiSwitch fnbamd debug:

 

fnbamd_fsm.c[1570] handle_req-Rcvd auth req 1280180224 for user admin.2fa cred_len:8: in group RADIUS_group port= opt=1025 prot=10
fnbamd_fsm.c[1575] handle_req-Rcvd auth group_num:1025: sizeof:10:0:6456 authserver_timeout:5448:
fnbamd_fsm.c[200] create_auth_session-Start and beginning fnbamd_auth_start timeout:7000: 
fnbamd_auth.c[354] radius_start-radius_start for usergroup :RADIUS_group:, username :admin.2fa: no. server:1:
fnbamd_auth.c[293] fnbamd_create_radius_socket-Opened radius socket 13
fnbamd_auth.c[293] fnbamd_create_radius_socket-Opened radius socket 14
fnbamd_radius.c[1327] fnbamd_radius_auth_init-svr_idx=0 ctx=0x1ef6860, user=admin.2fa, cred=0x1f334b9, cred_len=8
fnbamd_radius.c[1329] fnbamd_radius_auth_init-auth_prot=0, chap_challenge=(nil), chap_challenge_len=0
fnbamd_radius.c[1770] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_radius.c[2073] fnbamd_radius_auth_send-Radius auth_send check DNS :10.56.y.y:
fnbamd_radius.c[1718] fnbamd_rad_dns_cb-10.56.y.y->10.56.y.y
fnbamd_radius.c[1614] __send_udp-sending radius udp IPv4 request: fd=13.
fnbamd_radius.c[1657] __fnbamd_rad_send-Sent radius req to server 'radius-fac':
 fd=13, is_ipv6:0, IP=10.56.y.y(10.56.y.y:1812) code=ACCESS_REQUEST id=28 len=118 user="admin.2fa" using PAP
fnbamd_auth.c[797] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[491] ldap_start-Didn't find ldap servers (0)
fnbamd_auth.c[1095] fnbamd_auth_start-Auth protocol start
fnbamd_fsm.c[231] create_auth_session-Registering auth timeout :7000:
fnbamd_fsm.c[1998] handle_auth_rsp-handle_auth_rsp: from file descriptor:13:
fnbamd_auth.c[2425] fnbamd_auth_handle_radius_result-Result for vlanId :0: vlanIdName:: tag:0: 
fnbamd_radius.c[270] check_response_authenticator-Response authenticator check result:0:.
fnbamd_radius.c[2319] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_CHALLENGE
fnbamd_auth.c[2461] fnbamd_auth_handle_radius_result-->Result for radius svr 10.56.y.y(0) is FNBAM_CHALLENGED 
fnbamd_comm.c[213] fnbamd_comm_send_result-Sending result FNBAM_CHALLENGED for req 1280180224 len 0 class 0:0 filter 0:0
fnbamd_auth.c[435] radius_stop-radius_stop for usergroup :RADIUS_group:, username :admin.2fa:
 
To log in with a 2FA user configured on a RADIUS server:
Concatenate password and Token (password+Token, for example, 'P@ssword<token>').
 
FortiSwitch Administration Page with a 2FA user:
 
fsw-login-success.png
 
 
 
Sample FortiAuthenticator Access Log:
 
fac-2fa-log.png

 

39
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.