Description
This article describes how to solve Radius most common problems.
Solution
To test the Radius object and see if this is working properly, use the following CLI command:
#diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>
Note:
<Radius server_name> = name of Radius object on Fortigate.
The authentication scheme could be one of the following: Pap, Chap, mschapv2, mschap.
Example:
#diagnose test authserver radius Radius_SERVER pap user1 password
Advanced troubleshooting:
To get more information regarding the reason of authentication failure, use the following CLI commands:
# diagnose debug enable
# diagnose debug application fnbamd 255
To stop this debug type:
#diagnose debug application fnbamd 0
And then run a LDAP authentication test:
#diag test authserver radius RADIUS_SERVER pap user1 password
Advanced troubleshooting:
#diag test authserver radius FAC_RADUIS pap user1 Password
handle_req-Rcvd auth req 237264669 for user1 in FAC_RADUIS opt=0000001d prot=0
compose_group_list_from_req-Group 'FAC_RADUIS'
fnbamd_pop3_start-user1
fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FAC_RADUIS'
fnbamd_create_radius_socket-Opened radius socket 15
fnbamd_create_radius_socket-Opened radius socket 16
fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_rad_dns_cb-192.168.1.99
fnbamd_rad_send-Sent radius req to server 'FAC_RADUIS': fd=15, IP=192.168.1.99(192.168.1.99:1812) code=1 id=164 len=91 u="user1" using Pap <----- Username and authentication scheme.
radius_server_auth-Timer of rad 'FAC_RADUIS' is added
create_auth_session-Total 1 server(s) to try
fnbamd_auth_handle_radius_result-Timer of rad 'FAC_RADUIS' is deleted
fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
extract_success_vsas-FORTINET attr, type 1, val AdminGroup
fnbamd_auth_handle_radius_result-->result for radius svr 'FAC_RADUIS' 192.168.1.99(1) is 0 <----- 0: authentication success; 1: authentication failed.
authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=237264669 session_timeout=0 secs idle_timeou secs!
Group membership(s) - AdminGroup
Radius Response codes in the Fnbamd Debug:
0: Success
1: Deny
2: Challenged (password renewal or token is needed)
3: unknown
4: Pending
5: Error
6: Framed IP Conflict
7: Token code is required
8: Need another token due to the previous one is out of sync
9: Response Buffer is too small
10: Authentication time out
11: Max Concurrent authentication sessions are reached
12: Token code is already used.
Here it is also possible to see usual(error) mschapv2 codes:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD
If a packet capture is done, using (# diag sniffer packet any "host x.x.x.x" 6 0 a) or Wireshark, here is the reference for RADIUS codes:
Code | Assignment |
---|---|
1 | Access-Request |
2 | Access-Accept |
3 | Access-Reject |
4 | Accounting-Request |
5 | Accounting-Response |
11 | Access-Challenge |
12 | Status-Server (experimental) |
13 | Status-Client (experimental) |
40 | Disconnect-Request |
41 | Disconnect-ACK |
42 | Disconnect-NAK |
43 | CoA-Request |
44 | CoA-ACK |
45 | CoA-NAK |
255 | Reserved |