Description
This article provides some technical tips for troubleshooting FortiOS authentication issues.
Scope
All FortiOS users
Solution
The following article assumes that the following authentication has been configured on the FortiGate:
- Radius Server authentication.
- LDAP server.
- TACACS+ server.
- RSA/ACE (SecurID) server.
- To show the configuration of the server, on the CLI, type the following commands to show some of the popular authentication servers:
- show user radius: To show the RADIUS server configuration.
- show user ldap: To show the LDAP configuration.
- show user tacacs+: To show the TACACS+ server.
Here are all of the options:
FGT # show user
adgrp Configure FSSO groups.
certificate Configure certificate users.
domain-controller Configure domain controller entries.
exchange Configure MS Exchange server entries.
fortitoken Configure FortiToken.
fsso Configure Fortinet Single Sign On (FSSO) agents.
fsso-polling Configure FSSO active directory servers for polling mode.
group Configure user groups.
krb-keytab Configure Kerberos keytab entries.
ldap Configure LDAP server entries.
local Configure local users.
nac-policy Configure NAC policy matching pattern to identify matching NAC devices.
password-policy Configure user password policy.
peer Configure peer users.
peergrp Configure peer groups.
pop3 POP3 server entry configuration.
quarantine Configure quarantine support.
radius Configure RADIUS server entries.
saml SAML server entry configuration.
security-exempt-list Configure security exemption list.
setting Configure user authentication setting.
tacacs+ Configure TACACS+ server entries.
The following example shows an RSA server configured as a simple RADIUS server. (This is mandatory when configuring RSA authentication).
FG300B3908-----6 (radius) # show
config user radius
edit "Radius1"
set radius-port 1812
set secret ENC +dBqbWUO2JFy7cgcB1hTP0/CPbLF1RL9iuC41HHPgt8RAQV91PR/Q4c++4xNV6IkHuKr0vXQX8EmBr0rwbhSGr9f71IgRY88d0qecT7qdVty+0DE
set server "192.168.24.3"
next
end
- Open a new CLI console window and set up a sniffer. Here are the sniffer commands to capture traffic from some of the most popular servers:
- For RADIUS: diag sniffer packet any 'host <IP-address> and (port 1645 or port 1812)' 6 0 l
- For LDAP/LDAPS: diag sniffer packet any 'host <IP-address> and (port 389 or port 636)' 6 0 l
- For TACACS+: diag sniffer packet any 'host <IP-address> and port 49' 6 0 l
- Open another CLI console and execute the following CLI commands for authentication debug:
diag deb reset
diag deb console time en
diag deb app fnbamd -1
diag deb en
- Perform an authentication test, either in a new CLI console or in the CLI console of step 2:
diag test authserver <type-of-server> <server-name> <authentication-protocol> <username> <password>
- Here is the list of <type-of-server> that you can do the authentication test:
FGT # diag test authserver
radius Test RADIUS server. [Take 0-4 arg(s)]
tacacs+ test TACACS+ server. [Take 0-3 arg(s)]
radius-direct Test RADIUS server directly. [Take 0-7 arg(s)]
ldap-direct Test LDAP server directly. [Take 0-2 arg(s)]
tacacs+-direct Test TACACS+ server directly. [Take 0-3 arg(s)]
ldap Test LDAP server. [Take 0-3 arg(s)]
ldap-digest Test LDAP HA1 password query. [Take 0-2 arg(s)]
ldap-search Search LDAP server. [Take 0-10 arg(s)]
cert Test certificate authentication. [Take 0-255 arg(s)]
pop3 Test POP3 server. [Take 0-3 arg(s)]
local Test local user. [Take 0-3 arg(s)]
user Test user with group/user ID/name(s). [Take 0-255 arg(s)]
- The supported <authentication-protocol> are: pap chap mschap mschap2
This example assumes that PAP authentication is being used by the remote authentication server):
FGT400A-1 # diag test authserver radius <server> pap <username> <password>
- Use the following commands to stop the debug output: diag deb disable / diag deb reset
- If after applying the above steps the authentication still fails, collect the output taken in the above steps provide this information with the configuration file of the FortiGate, and contact Fortinet Support.
