Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎12-31-2004 12:00 AM Edited on ‎01-06-2025 12:27 AM By Moderator

Article Id 198406

Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server

Description


This article describes how to test a FortiGate user authentication to the RADIUS server.

 

Scope

 

FortiGate.

 

Solution


The CLI of the FortiGate includes an authentication test command:

 

diagnose  test  authserver  radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>

 

Run this test command as soon as the RADIUS server configuration is complete.
It does not require the FortiGate configuration to contain a user group or firewall policy.
If there are no issues with the RADIUS server configuration or user credentials, the RADIUS server returns an authentication confirmation and a list of the user groups for that user.

For example (command outputs from FortiOS v7.2):

 

diagnose  debug  application  fnbamd  -1

Debug messages will be on for 30 minutes.

diagnose  debug  enable

diagnose  test  authserver  radius radserver1 pap raduser1 password123

[1909] handle_req-Rcvd auth req 1190820099 for raduser1 in radserver1 opt=0100001d prot=0

[489] __compose_group_list_from_req-Group 'radserver1', type 1

[616] fnbamd_pop3_start-raduser1

[531] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'radserver1'

[342] fnbamd_create_radius_socket-Opened radius socket 10

[342] fnbamd_create_radius_socket-Opened radius socket 11

[1476] fnbamd_radius_auth_send-Compose RADIUS request

[1433] fnbamd_rad_dns_cb-10.5.56.169->10.5.56.169

[1405] __fnbamd_rad_send-Sent radius req to server 'radserver1': fd=10, IP=10.5.56.169(10.5.56.169:1812) code=1 id=1 len=97 user="raduser1" using PAP  <- Username and scheme.

[319] radius_server_auth-Timer of rad 'radserver1' is added

[652] create_auth_session-Total 1 server(s) to try

[1950] handle_req-r=4

[1522] fnbamd_auth_handle_radius_result-Timer of rad 'radserver1' is deleted

[1890] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2    <- 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge.

[323] extract_success_vsas-FORTINET attr, type 1, val radgroup1  <- RADIUS attributes.

[1548] fnbamd_auth_handle_radius_result-->Result for radius svr 'radserver1' 10.5.56.169(1) is 0 <- 0=Authentication successful, 1=Authentication failed.

[281] find_matched_usr_grps-Skipped group matching

[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1190820099, len=2551

authenticate 'raduser1' against 'pap' succeeded, server=primary assigned_rad_session_id=1190820099 session_timeout=0 secs idle_timeout=0 secs!

Group membership(s) - radgroup1

 

In case there are no debugs, verify the connectivity by using the below command:

 

Try pinging the RADIUS server:

 

execute ping a.b.c.d -> a.b.c.d is the server ip

 

The packet sniffer can be performed to verify, that traffic is going out on the correct interface:

 

diag sniffer packet any ' host a.b.c.d ' 4 0 l

 

Related articles:

57193
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.