DescriptionThis article provides some technical tips for troubleshooting FortiOS authentication issues. ScopeAll FortiOS users
SolutionThe following article assumes that the following authentication has been configured on the FortiGate:
- Radius Server authentication
- LDAP server
- TACACS+ server
- RSA/ACE (SecurID) server
1. The following example shows a RSA server configured as a simple RADIUS server. (This is mandatory when configuring RSA authentication.)
FG300B3908606806 (radius) # show
config user radius
edit "Radius1"
set radius-port 1812
set secret ENC +dBqbWUO2JFy7cgcB1hTP0/CPbLF1RL9iuC41HHPgt8RAQV91PR/Q4c++4xNV6IkHuKr0vXQX8EmBr0rwbhSGr9f71IgRY88d0qecT7qdVty+0DE
set server "192.168.24.3"
next
end |
2. The following CLI debug command can be used to test authentication for a user connecting with this authentication:
diag deb reset
diag deb console time en
diag deb app fnbamd -1
diag deb en
diag sniffer packet any 'host IP.of.RADIUS.Server and (port 1645 or port 1812)' 6 |
Collect the above output and log directly to file. Once satisfied with the output save the file.
3. Perform an authentication test (this example assumes that PAP authentication is being used by the remote authentication server):
| FGT400A-1 # diag test authserver radius <server> pap <username> <password> |
If the RADIUS server is not configured to use PAP authentication then replace 'pap' by the appropriate method: chap mschap mschap2
4. Use the following commands to stop the debug output:
diag deb reset
diag deb dis |
5. If after applying the above steps the authentication still fails, collect the output taken in steps 2 and 3 and provide this information with the configuration file of the FortiGate and contact Fortinet Support.
