Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
zzarrouk
Staff
Staff

Created on ‎11-19-2019 02:44 AM Edited on ‎07-25-2022 12:29 AM By Community Manager

Technical Tip: Radius authentication troubleshooting

Description


This article describes how to solve Radius most common problems.

Solution


To test the Radius object and see if this is working properly, use the following CLI command:

 

#diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>

Note:

<Radius server_name> = name of Radius object on Fortigate.

The authentication scheme could be one of the following: Pap, Chap, mschapv2, mschap.

Example:

 

#diagnose test authserver radius  Radius_SERVER pap user1 password

Advanced troubleshooting:

To get more information regarding the reason of authentication failure, use the following CLI commands:

 

# diagnose debug enable
# diagnose debug application fnbamd 255

To stop this debug type:

 

#diagnose debug application fnbamd 0

And then run a LDAP authentication test:

 

#diag test authserver radius RADIUS_SERVER  pap user1 password

Advanced troubleshooting:

 

#diag test authserver radius FAC_RADUIS pap user1 Password
handle_req-Rcvd auth req 237264669 for user1 in FAC_RADUIS opt=0000001d prot=0
compose_group_list_from_req-Group 'FAC_RADUIS'
fnbamd_pop3_start-user1
fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FAC_RADUIS'
fnbamd_create_radius_socket-Opened radius socket 15
fnbamd_create_radius_socket-Opened radius socket 16
fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_rad_dns_cb-192.168.1.99
fnbamd_rad_send-Sent radius req to server 'FAC_RADUIS': fd=15, IP=192.168.1.99(192.168.1.99:1812) code=1 id=164 len=91 u="user1" using Pap            <----- Username and authentication scheme.
radius_server_auth-Timer of rad 'FAC_RADUIS' is added
create_auth_session-Total 1 server(s) to try
fnbamd_auth_handle_radius_result-Timer of rad 'FAC_RADUIS' is deleted
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val AdminGroup
fnbamd_auth_handle_radius_result-->result for radius svr 'FAC_RADUIS' 192.168.1.99(1) is 0                                                                        <----- 0: authentication  success; 1: authentication failed.
authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=237264669 session_timeout=0 secs idle_timeou secs!
Group membership(s) - AdminGroup

Radius Response codes in the Fnbamd Debug:

 

0: Success
1: Deny
2: Challenged (password renewal or token is needed)
3: unknown
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.

Here it is also possible to see usual(error) mschapv2 codes:

 

646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

 

If a packet capture is done, using (# diag sniffer packet any "host x.x.x.x" 6 0 a) or Wireshark, here is the reference for RADIUS codes:

 

Code Assignment
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
40 Disconnect-Request
41 Disconnect-ACK
42 Disconnect-NAK
43 CoA-Request
44 CoA-ACK
45 CoA-NAK
255 Reserved
32050

Contact Us