Fortinet black logo

Administration Guide

Troubleshooting

Troubleshooting

The following table describes some of the basic issues that can occur while using your FortiAuthenticator device, and suggestions on how to solve said issues.

Problem Suggestions
All user log in attempts fail, there is no response from the FortiAuthenticator device, and there are no entries in the system log.
  • Verify that traffic is reaching the FortiAuthenticator device.
  • Check to see if there is an intervening firewall blocking 1812/UDP RADIUS authentication traffic, if the routing correct, if the authentication client is configured with the correct IP address for FortiAuthenticator, etc.
All user log in attempts fail with the message RADIUS ACCESS-REJECT, and invalid password shown in the logs.
  • Verify that the authentication client secrets are identical to those on FortiAuthenticator.
Generally, user log in attempts are successful, however an individual user authentication attempt fails with invalid password shown in the logs.
  • Reset the user’s password and try again. See Editing a user.
  • Have the user privately show their password to the administrator to check for unexpected characters (possibly due to keyboard regionalization issues).
Generally, user log in attempts are successful, however an individual user authentication attempt fails with invalid token shown in the logs.
  • Verify that the user is not trying to use a previously used PIN. Tokens are one time passwords, so you cannot log in twice with the same PIN.
  • Verify that the time and timezone on FortiAuthenticator are correct and, preferably, synchronized using NTP. See Configuring the system date, time, and time zone.
  • Verify that the token is correctly synchronized with FortiAuthenticator, and verify the drift by synchronizing the token. See FortiToken drift adjustment.
  • Verify the user is using the token assigned to them (validate the serial number against FortiAuthenticator configuration). See User management.
  • If the user is using an email or SMS token, verify it is being used within the valid timeout period. See Lockouts.

Troubleshooting

The following table describes some of the basic issues that can occur while using your FortiAuthenticator device, and suggestions on how to solve said issues.

Problem Suggestions
All user log in attempts fail, there is no response from the FortiAuthenticator device, and there are no entries in the system log.
  • Verify that traffic is reaching the FortiAuthenticator device.
  • Check to see if there is an intervening firewall blocking 1812/UDP RADIUS authentication traffic, if the routing correct, if the authentication client is configured with the correct IP address for FortiAuthenticator, etc.
All user log in attempts fail with the message RADIUS ACCESS-REJECT, and invalid password shown in the logs.
  • Verify that the authentication client secrets are identical to those on FortiAuthenticator.
Generally, user log in attempts are successful, however an individual user authentication attempt fails with invalid password shown in the logs.
  • Reset the user’s password and try again. See Editing a user.
  • Have the user privately show their password to the administrator to check for unexpected characters (possibly due to keyboard regionalization issues).
Generally, user log in attempts are successful, however an individual user authentication attempt fails with invalid token shown in the logs.
  • Verify that the user is not trying to use a previously used PIN. Tokens are one time passwords, so you cannot log in twice with the same PIN.
  • Verify that the time and timezone on FortiAuthenticator are correct and, preferably, synchronized using NTP. See Configuring the system date, time, and time zone.
  • Verify that the token is correctly synchronized with FortiAuthenticator, and verify the drift by synchronizing the token. See FortiToken drift adjustment.
  • Verify the user is using the token assigned to them (validate the serial number against FortiAuthenticator configuration). See User management.
  • If the user is using an email or SMS token, verify it is being used within the valid timeout period. See Lockouts.