- There is an authentication client entry for the FortiGate unit (see RADIUS service).
- The user trying to authenticate has a valid active account that is not disabled, and that the username and password are entered correctly.
- The user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit.
- The FortiGate unit can communicate with FortiAuthenticator, on the required ports:
- RADIUS Authentication: UDP/1812
- LDAP: TCP/389
- The user account exists either:
- as a local user on the FortiAuthenticator (if using RADIUS authentication),
- in the local LDAP directory (if using local LDAP authentication),
- and/or in the remote LDAP directory (if using RADIUS authentication with remote LDAP password validation).
- The user is a member in the expected user groups and these user groups are allowed to communicate on the authentication client (e.g. the FortiGate).
- If authentication fails with the log error "bad password", try resetting the password. If this fails, verify that the pre-shared secret is identical on both FortiAuthenticator and the authentication client.
- Verify that the token is correctly synchronized.
- Remove the token from the user authentication configuration and verify authentication works when the token is not present.
- Attempt to log into the FortiAuthenticator with the user credentials.
These steps enable the administrator to identify whether the problem is with the FortiGate unit, the credentials, or the FortiToken.