Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NIS
New Contributor II

FortiAnalyzer radius authentication issue

Hi Team,

We are seeing a strange issue with our FortiAnalyzer which is related to the radius authentication.

 

We have configured Cisco ISE  as a radius authentication server. ISE IP and all other parameters are configured on the Fortianalyzer however authentication is not working. 

 

We have captured the sniffer traffic but do not see any traffic leaving the device. 

Please advise what could be the issue? Is there any way to restart auth daemon/radius service? We have already rebooted the Fortianalyzer.

tempsnip.jpg

 

 

 

 

 

 

 

 

 

 

 

FAZ01 # diagnose sniffer packet any "host x.x.x.x" 4 a
interfaces=[any]
filters=[host x.x.x.x]
^C

Please find the snap for reference.

1 Solution
NIS
New Contributor II

this is now resolved. The Wildcard admin got deleted post device upgrade. This could be a bug according to the Fortigate TAC. 

 

View solution in original post

7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello NIS,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello NIS,

 

I share with you the FortiAnalyzer documentation:

 

https://docs.fortinet.com/document/fortianalyzer/7.2.0/administration-guide/681142/radius-servers

 

You can maybe find an answer inside.

 

If not, We will continue to find a solution.

 

Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hello NIS,

 

the packet capture might be different, from what I have seen on the FortiAnalyzer.

You might see there

diag sniff (not sniffer) packet any 'port 1812' 4

Then you authenticate. You should also be able to debug (FortiGate style debug, but in parts applies to FortiAnalyzer):

diag debug app fnbamd -1

diag debug enable

On FortiGate you would be able to run:

fnsysctl killall -11 fnbamd

to kill and restart the process, but see if the debug shows more.

 

Best regards,

 

Markus

Debbie_FTNT

Hey NIS

 

To correct the debug commands provided by my colleague (may depend a bit on firmware version):

- FortiAnalyzer has different sniffer levels, try these ones instead:
#diag sniffer packet any '<>' <1|2|3>

-> FortiAnalyzer can't use dia sniff 4-6

#dia de app <fnbam|auth> 255

-> FortiAnalyzer uses 'fnbam' or 'auth', not 'fnbamd', and '255', not '-1'

 

Those could provide some more insight into what's going on with RADIUS admin authentication.

In addition, if you want the FortiAnalyzer to restrict the admins to a specific group, the RADIUS reply would have to include that as Fortinet-Group-Name attribute.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
NIS
New Contributor II

Hello @Debbie_FTNT  - Thank you for your response. I have applied sniffer and debug. Please see the output below 0

 

Scenario - 1
=============

Issue reproduced from the FortiAnalyzer Web GUI :
=================================================

FAZ01 # diag sniffer packet any "host Radius IP and port 1812" 3 0 a
interfaces=[any]
filters=[host Radius IP and port 1812]
^C
293 packets received by filter
0 packets dropped by kernel

FAZ01 #

=============================================================================================

FAZ01 # diagnose debug application auth 255

FAZ01 # diagnose debug application gui 255

FAZ01 # diagnose debug enable

FAZ01 #
s132: auth request: user=User from=GUI(Radius IP)
s132: unknown admin: User
s132: auth result: denied

s133: auth request: user=User from=GUI(Radius IP)
s133: unknown admin: User
s133: auth result: denied

FAZ01 # diagnose debug application auth 0

FAZ01 #
FAZ01 # diagnose debug application gui 0

FAZ01 #
FAZ01 # diagnose debug disable

===========================================================================================================================================

Scenario - 2
=============

Issue reproduced from the "Test User Credentials" window
=========================================================


FAZ01 # diag sniffer packet any "host Radius IP and port 1812" 3 0 a
interfaces=[any]
filters=[host Radius IP and port 1812]
2022-06-17 14:44:53.022319 10.197.167.102.49101 -> Radius IP.1812: udp 82
0x0000 0000 0000 0000 704c a5a0 718c 0800 4500 ......pL..q...E.
0x0010 006e 8f60 4000 4011 5536 0ac5 a766 43cc .n.`@.@.U6...fC.
0x0020 5ff1 bfcd 0714 005a 5654 010f 0052 7ca9 _......ZVT...R|.
0x0030 5b5f 2c56 beef 439d 1a42 f933 d2b3 010a [_,V..C..B.3....
0x0040 6e69 6b67 756a 6172 0212 de96 6d26 9693 User....m&..
0x0050 f99d d328 508f ff86 88e0 2011 4742 2d44 ...(P.......GB-D
0x0060 432d 544f 4c2d 4641 5a30 312c 0438 624d C-TOL-FAZ01,.8bM
0x0070 0d61 646d 696e 2d6c 6f67 696e .admin-login

2022-06-17 14:44:53.291060 Radius IP.1812 -> 10.197.167.102.49101: udp 134
0x0000 0000 0000 0001 0009 0f09 1e00 0800 4500 ..............E.
0x0010 00a2 fdcf 4000 3b11 eb92 43cc 5ff1 0ac5 ....@.;...C._...
0x0020 a766 0714 bfcd 008e 4dd6 020f 0086 7925 .f......M.....y%
0x0030 a66f 543f ff6b 6389 5fee d15f 76de 010a .oT?.kc._.._v...
0x0040 6e69 6b67 756a 6172 1956 4341 4353 3a61 User.VCACS:a
0x0050 6331 6334 6530 3172 3576 6166 745a 6e4a c1c4e01r5vaftZnJ
0x0060 4e2f 3256 7736 5f4d 5946 4b32 5a6d 6c44 N/2Vw6_MYFK2ZmlD
0x0070 6a6f 484a 3648 7553 5a42 384d 715a 6475 joHJ6HuSZB8MqZdu
0x0080 6173 3a43 5548 5054 4f4c 4953 4530 312f as:CUHPTOLISE01/
0x0090 3433 3837 3933 3830 372f 3431 3037 1a12 438793807/4107..
0x00a0 0000 3044 060c 7072 6f66 5f61 646d 696e ..0D..prof_admin

2022-06-17 14:45:14.940248 10.197.167.102.43790 -> Radius IP.1812: udp 82
0x0000 0000 0000 0000 704c a5a0 718c 0800 4500 ......pL..q...E.
0x0010 006e a451 4000 4011 4045 0ac5 a766 43cc .n.Q@.@.@E...fC.
0x0020 5ff1 ab0e 0714 005a 5654 0110 0052 d557 _......ZVT...R.W
0x0030 7a6a 9e62 c973 5aed 7438 f2a5 a67f 010a zj.b.sZ.t8......
0x0040 6e69 6b67 756a 6172 0212 c092 c681 2452 User......$R
0x0050 dd00 7bf0 083c 6c34 8d9b 2011 4742 2d44 ..{..<l4....GB-D
0x0060 432d 544f 4c2d 4641 5a30 312c 0438 634d C-TOL-FAZ01,.8cM
0x0070 0d61 646d 696e 2d6c 6f67 696e .admin-login

2022-06-17 14:45:40.117748 10.197.167.102.51537 -> Radius IP.1812: udp 82
0x0000 0000 0000 0000 704c a5a0 718c 0800 4500 ......pL..q...E.
0x0010 006e b048 4000 4011 344e 0ac5 a766 43cc .n.H@.@.4N...fC.
0x0020 5ff1 c951 0714 005a 5654 0111 0052 29ed _..Q...ZVT...R).
0x0030 4416 70ca 5755 fa97 2442 52a5 d775 010a D.p.WU..$BR..u..
0x0040 6e69 6b67 756a 6172 0212 9a20 a44d b758 User.....M.X
0x0050 1aec 9b49 d9b3 313a 1c08 2011 4742 2d44 ...I..1:....GB-D
0x0060 432d 544f 4c2d 4641 5a30 312c 0438 644d C-TOL-FAZ01,.8dM
0x0070 0d61 646d 696e 2d6c 6f67 696e .admin-login

2022-06-17 14:45:40.327469 Radius IP.1812 -> 10.197.167.102.51537: udp 134
0x0000 0000 0000 0001 0009 0f09 1e00 0800 4500 ..............E.
0x0010 00a2 5af7 4000 3b11 8e6b 43cc 5ff1 0ac5 ..Z.@.;..kC._...
0x0020 a766 0714 c951 008e 98a3 0211 0086 563e .f...Q........V>
0x0030 ec8a b7f5 da94 c9aa 7a42 bc32 cbb0 010a ........zB.2....
0x0040 6e69 6b67 756a 6172 1956 4341 4353 3a61 User.VCACS:a
0x0050 6331 6334 6530 3141 335a 6177 6952 4d6a c1c4e01A3ZawiRMj
0x0060 6263 4f6d 6958 4b67 766a 4631 2f65 774f bcOmiXKgvjF1/ewO
0x0070 6c6c 3471 3848 514b 7a53 5a4e 3262 3776 ll4q8HQKzSZN2b7v
0x0080 6f30 3a43 5548 5054 4f4c 4953 4530 312f o0:CUHPTOLISE01/
0x0090 3433 3837 3933 3830 372f 3431 3039 1a12 438793807/4109..
0x00a0 0000 3044 060c 7072 6f66 5f61 646d 696e ..0D..prof_admin

^C
23 packets received by filter
0 packets dropped by kernel

==================================================================================================

FAZ01 # applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
permission.cpp[440] before, requestToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV
permission.cpp[441] before, serverToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV

s139: test request: user=User
s139: start radius: test-radius
test-radius: send to server 0: Radius IP ip=Radius IP port=1812 id=15 type=pap
test-radius: got reply: code=accept(2) id=15
test-radius: 0-1: User
test-radius: 0-25: CACS:ac1c4e01r5vaftZnJN/2Vw6_MYFK2ZmlDjoHJ6HuSZB8MqZduas:CUHPTOLISE01/438793807/4107
test-radius: ftnt-profile: prof_admin
test-radius: success
s139: auth result: success
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
permission.cpp[440] before, requestToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV
permission.cpp[441] before, serverToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV

s140: test request: user=User
s140: start radius: test-radius
test-radius: send to server 0: Radius IP ip=Radius IP port=1812 id=16 type=pap
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
s140: timeout
s140: auth result: denied
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat
permission.cpp[440] before, requestToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV
permission.cpp[441] before, serverToken=vrMfmE+QFnjV2iM2Ey2TVJ08ykWlODV

s141: test request: user=User
s141: start radius: test-radius
test-radius: send to server 0: Radius IP ip=Radius IP port=1812 id=17 type=pap
test-radius: got reply: code=accept(2) id=17
test-radius: 0-1: User
test-radius: 0-25: CACS:ac1c4e01A3ZawiRMjbcOmiXKgvjF1/ewOll4q8HQKzSZN2b7vo0:CUHPTOLISE01/438793807/4109
test-radius: ftnt-profile: prof_admin
test-radius: success
s141: auth result: success
applets.cpp[673] app name=HeartBeat
applets.cpp[218] whole sessionCookieChars=1655476965&45715&FL-8HFT718900133&0&3949907011&Radius IP&0
applets.cpp[247] before cache sessionId=45715
applets.cpp[250] after cache sessionId=45715
applets.cpp[343] Valid session
applets.cpp[378] loginType=0, result=0
applets.cpp[701] Valid session name=HeartBeat

markwarner
Staff
Staff

Hello NIS,

I see that you removed the RADIUS server IP but also shared the full hex output of the sniffer and after converting that to a PCAP, I can see your server IP ending 241.
The sniffer shows a login for username n****jar and the RADIUS server replied with access_accept and AVP Fortinet-Access-Profile = prof_admin.

The GUI debug made the output unnecesarily noisy.  Auth debug shows that the username "User" (I assume that this was replaced) was authenticated successfully with access-accept and admin profile = prof_admin.  prof_admin is not a default admin profile in FMG/FAZ OS, I can only assume that you configured it.  It looks like there is also a timeout for the same user "User" and then one more access-accept.

Here is a successful authentication from the auth debug:
s139: test request: user=User
s139: start radius: test-radius
test-radius: send to server 0: Radius IP ip=Radius IP port=1812 id=15 type=pap
test-radius: got reply: code=accept(2) id=15
test-radius: 0-1: User
test-radius: 0-25: CACS:ac1c4e01r5vaftZnJN/2Vw6_MYFK2ZmlDjoHJ6HuSZB8MqZduas:CUHPTOLISE01/438793807/4107
test-radius: ftnt-profile: prof_admin
test-radius: success
s139: auth result: success

 

The RADIUS administrator is likley configured as a wildcard admin since you're sending back the AVP for admin profile.  To us this, ext-auth-accprofile-override should be enabled on the administrator configuration.  ext-auth-adom-override and ext-auth-group-match should not be enabled as these attributes are not being sent back from the server.

Maybe this should have been addressed in a TAC ticket.  We would also want to check your FAZ admin and admin profile configuration - it might have been better to share that only with TAC rather than our public facing community site.  At least your RADIUS server secret and user password are not visible in plain text.

Please check this KB on RADIUS authentication with FortiAnalyzer / FortiManager:
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-RADIUS-for-authentication-an...

Kind Regards,
Mark.

NIS
New Contributor II

this is now resolved. The Wildcard admin got deleted post device upgrade. This could be a bug according to the Fortigate TAC.