Support Desk

This article describes how to test a FortiGate user authentication to RADIUS server.

The CLI of the FortiGate includes an authentication test command:

# diagnose  test  authserver  radius
<server_name> <chap | pap | mschap | mschap2> <username> <password>

Run this test command as soon as the Radius server configuration is completed.
It does not require the FortiGate configuration to contain a user group or firewall policy.
If there is no issues with the Radius server configuration or user credential, the Radius server returns an authentication confirmation and a list of the user group for that user.

For example (command outputs from FortiOS 6.2):

# diagnose debug application fnbamd -1
# diagnose debug enable
# diagnose  test  authserver  radius WIN16 mschap2 radiususer1 P@$$w0rd1
[2274] handle_req-Rcvd auth req 457812035 for radiususer1 in WIN16 opt=0000001d prot=4
[398] __compose_group_list_from_req-Group 'WIN16'
[614] fnbamd_pop3_start-radiususer1
[540] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'WIN16'
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1342] fnbamd_radius_auth_send-Compose RADIUS request
[1309] fnbamd_rad_dns_cb-172.16.190.216->172.16.190.216
[1284] __fnbamd_rad_send-Sent radius req to server 'WIN16': fd=15, IP=172.16.190.216(172.16.190.216:1812) code=1 id=95 len=157 user="radiususer1" using MS-CHAPv2      <----- Username and scheme
[282] radius_server_auth-Timer of rad 'WIN16' is added
[557] create_auth_session-Total 1 server(s) to try
[2406] fnbamd_auth_handle_radius_result-Timer of rad 'WIN16' is deleted
[1750] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2 >>> 2=Access-Accept, 3=Access-Reject, 11=Access-Challenge


[309] extract_success_vsas-FORTINET attr, type 1, val radiusgroup                                                                                                      <----- Radius attributes
[2432] fnbamd_auth_handle_radius_result                                                 <----- Result for radius svr 'WIN16' 172.16.190.216(1) is 0 >>> 0=Authetication successful, 1=Authentication failed
[2362] fnbamd_radius_group_match-Skipping group matching
[986] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 457812035
authenticate 'radiususer1' against 'mschap2' succeeded, server=primary assigned_rad_session_id=457812035 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) – radiusgroup

https://kb.fortinet.com/kb/documentLink.do?externalID=10675