Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
starking9b
New Contributor

Can not access radius server from fortigate

I am trying to make authentication using free radius server with fortigate , I can send ping between fortigate and ubuntu machine which freeradius run on it , but when I trying to add radius server from USER,Devices section the server can not be reach , and there  is no any request coming to free radius from fortigate ,I don;t know why is that , I can send ping but can not reach radius server

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

I don't where you're looking at to see the error. But you can check RADIUS connectivity at GUI, User & Device->RADIUS Servers->edit "server_name" and "Test Connectivity" button. When you hit it and enter one of username/passwd of users, you should see RADIUS request then reply (UDP 1812 on server side) in "diag sniffer packet any 'host SERVER_IP' 4" like below:

 

19.058198 lan out 192.168.1.254.3949 -> 172.16.1.1.1812: udp 52 20.060076 lan in 172.16.1.11.1812 -> 192.168.1.254.3949: udp 20

If you don't see them, something is wrong with the RADIUS config on the FGT. Not much to configure though; server IP, seret pass, and nas-ip generally.

emnoc
Esteemed Contributor III

I would  check logs on radius server and client. If the  secret is wrong, or wrong  defined service-port, or if the system set for  DTLS-TLS these will generate almost no  response back to the radius-client. You can dump on packet captures to see the radius-accept/reject messages.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MdMan85
New Contributor

Are you doing this over VPN?

starking9b

yes over vpn

starking9b

I can access to freeradius using another fortigate but on this fortigate I can not access , radius service working on 1812 port 

 

MdMan85

If your running it over VPN than you'll need to specify a source IP for radius.

 

If you're using VDOM these would be the commands

c v

edit "vdom name"    No Quotes

config user radius

edit "Name you gave it"    no quotes

set source-ip "Firewall LAN ip"    no quotes

end

end

 

if you do not have VDOM's enabled the commands are

config user radius

edit "Name you gave it"    no quotes

set source-ip "Firewall LAN ip"    no quotes

end

end

 

Try those and let me know if that helped or if you have any questions

Labels
Top Kudoed Authors