FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article provides some technical tips for troubleshooting FortiOS authentication issues.
All FortiOS users

The following article assumes that the following authentication has been configured on the FortiGate:
  • Radius Server authentication
  • LDAP server
  • TACACS+ server
  • RSA/ACE (SecurID) server
1.    The following example shows a RSA server configured as a simple RADIUS server.  (This is mandatory when configuring RSA authentication.)
FG300B3908606806 (radius) # show
config user radius
    edit "Radius1"
        set radius-port 1812
        set secret ENC +dBqbWUO2JFy7cgcB1hTP0/CPbLF1RL9iuC41HHPgt8RAQV91PR/Q4c++4xNV6IkHuKr0vXQX8EmBr0rwbhSGr9f71IgRY88d0qecT7qdVty+0DE
        set server ""
2.    The following CLI debug command can be used to test authentication for a user connecting with this authentication:
diag deb reset
diag deb console time en
diag deb app fnbamd -1
diag deb en
diag sniffer packet any 'host IP.of.RADIUS.Server and (port 1645 or port 1812)' 6
Collect the above output and log directly to file.  Once satisfied with the output save the file.

3.    Perform an authentication test (this example assumes that PAP authentication is being used by the remote authentication server):
FGT400A-1 # diag test authserver radius <server> pap <username> <password>
If the RADIUS server is not configured to use PAP authentication then replace 'pap' by the appropriate method: chap mschap mschap2

4.    Use the following commands to stop the debug output:
diag deb reset
diag deb dis
5.    If after applying the above steps the authentication still fails, collect the output taken in steps 2 and 3 and provide this information with the configuration file of the FortiGate and contact Fortinet Support.