FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190282


This article provides some technical tips for troubleshooting FortiOS authentication issues.


All FortiOS users



The following article assumes that the following authentication has been configured on the FortiGate:
  • Radius Server authentication.
  • LDAP server.
  • TACACS+ server.
  • RSA/ACE (SecurID) server.


  1. To show the configuration of the server, on the CLI, type the following commands to show some of the popular authentication servers:
  • show user radius: To show the RADIUS server configuration.
  • show user ldap: To show the LDAP configuration.
  • show user tacacs+: To show the TACACS+ server.


Here are all of the options:


FGT # show user

adgrp                   Configure FSSO groups.

certificate             Configure certificate users.

domain-controller       Configure domain controller entries.

exchange                Configure MS Exchange server entries.

fortitoken              Configure FortiToken.

fsso                    Configure Fortinet Single Sign On (FSSO) agents.

fsso-polling            Configure FSSO active directory servers for polling mode.

group                   Configure user groups.

krb-keytab              Configure Kerberos keytab entries.

ldap                    Configure LDAP server entries.

local                   Configure local users.

nac-policy              Configure NAC policy matching pattern to identify matching NAC devices.

password-policy         Configure user password policy.

peer                    Configure peer users.

peergrp                 Configure peer groups.

pop3                    POP3 server entry configuration.

quarantine              Configure quarantine support.

radius                  Configure RADIUS server entries.

saml                    SAML server entry configuration.

security-exempt-list    Configure security exemption list.

setting                 Configure user authentication setting.

tacacs+                 Configure TACACS+ server entries.


The following example shows an RSA server configured as a simple RADIUS server. (This is mandatory when configuring RSA authentication).
FG300B3908-----6 (radius) # show
config user radius
    edit "Radius1"
        set radius-port 1812
        set secret ENC +dBqbWUO2JFy7cgcB1hTP0/CPbLF1RL9iuC41HHPgt8RAQV91PR/Q4c++4xNV6IkHuKr0vXQX8EmBr0rwbhSGr9f71IgRY88d0qecT7qdVty+0DE
        set server ""
  1. Open a new CLI console window and set up a sniffer. Here are the sniffer commands to capture traffic from some of the most popular servers:
    • For RADIUS: diag sniffer packet any 'host <IP-address> and (port 1645 or port 1812)' 6 0 l
    • For LDAP/LDAPS: diag sniffer packet any 'host <IP-address> and (port 389 or port 636)' 6 0 l
    • For TACACS+: diag sniffer packet any 'host <IP-address> and port 49' 6 0 l


  1. Open another CLI console and execute the following CLI commands for authentication debug:


diag deb reset
diag deb console time en
diag deb app fnbamd -1
diag deb en


  1. Perform an authentication test, either in a new CLI console or in the CLI console of step 2:


diag test authserver <type-of-server> <server-name> <authentication-protocol> <username> <password>


  • Here is the list of <type-of-server> that you can do the authentication test:

FGT # diag test authserver

radius            Test RADIUS server. [Take 0-4 arg(s)]

tacacs+           test TACACS+ server. [Take 0-3 arg(s)]

radius-direct     Test RADIUS server directly. [Take 0-7 arg(s)]

ldap-direct       Test LDAP server directly. [Take 0-2 arg(s)]

tacacs+-direct    Test TACACS+ server directly. [Take 0-3 arg(s)]

ldap              Test LDAP server. [Take 0-3 arg(s)]

ldap-digest       Test LDAP HA1 password query. [Take 0-2 arg(s)]

ldap-search       Search LDAP server. [Take 0-10 arg(s)]

cert              Test certificate authentication. [Take 0-255 arg(s)]

pop3              Test POP3 server. [Take 0-3 arg(s)]

local             Test local user. [Take 0-3 arg(s)]

user              Test user with group/user ID/name(s). [Take 0-255 arg(s)]


  • The supported <authentication-protocol> are: pap chap mschap mschap2
This example assumes that PAP authentication is being used by the remote authentication server):
FGT400A-1 # diag test authserver radius <server> pap <username> <password>
  1. Use the following commands to stop the debug output: diag deb disable / diag deb reset
  2. If after applying the above steps the authentication still fails, collect the output taken in the above steps provide this information with the configuration file of the FortiGate, and contact Fortinet Support.