Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Troubleshooting

Logging

If authentication fails, you can check the FortiAuthenticator log files for additional information.

To debug a bad password:

If the user insists that they have the correct credentials, try resetting the password.

If authentication continues to fail, verify that you have entered the correct shared Secret on both the client and FortiAuthenticator.

To debug a bad token code:

This issue may be due to a user error (entering the incorrect Token), or caused by a timing issue.

To troubleshoot this issue, verify the following:

  • The user is not attempting to use a previously used PIN. You cannot log in twice with the same token PIN.
  • The time and time zone on the FortiAuthenticator is correct, and preferably synchronized using NTP.
  • The token is correctly synched with FortiAuthenticator.
To debug when nothing is logged:

If the logs do not include either a failure or a successful authentication logged, it is likely due to one of the following:

  • The request is not reaching the FortiAuthenticator.
    • Verify that any intervening firewalls are permitting the required traffic through the network. RADIUS authentication traffic requires UDP Port 1812 to be open to the FortiAuthenticator and that pseudo-stateful responses are allowed to return.
  • The request is reaching the FortiAuthenticator but is being ignored.
    • If traffic is seen reaching the FortiAuthenticator (e.g. by packet sniffing) but is being ignored, it is likely that the requesting client is not configured in the FortiAuthenticator.
    • Verify that the client is sending the traffic from the expected IP address and not from a secondary IP address or alternative interface. The FortiAuthenticator RADIUS server will not respond to requests from an unknown client for security reasons.

Extended logging

The logs found at Logging > Log Access > Logs provide a summary of events occurring on the system, particularly the information required for audit purposes (e.g. who logged in and where from). When a more detailed view is required in order to troubleshoot issues, detailed system application logs can be found by navigating to https://<FAC IP>/debug.

RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.

From the Service dropdown menu, select RADIUS Authentication, and click Enter debug mode from the toolbar.

Enter the username and password and select OK to test the RADIUS authentication and view the authentication response and returned attributes.

Traffic sniffing

Wireshark can be used to monitor traffic being sent and received to the FortiAuthenticator by setting it to capture traffic on UDP port 1812.

RADIUS packet generation

Testing authentication directly without the use of a NAS device is useful to rule out issues with the client. This is most easily achieved using a tool such as NTRADPing on Windows or radclient on Linux.

Troubleshooting

Logging

If authentication fails, you can check the FortiAuthenticator log files for additional information.

To debug a bad password:

If the user insists that they have the correct credentials, try resetting the password.

If authentication continues to fail, verify that you have entered the correct shared Secret on both the client and FortiAuthenticator.

To debug a bad token code:

This issue may be due to a user error (entering the incorrect Token), or caused by a timing issue.

To troubleshoot this issue, verify the following:

  • The user is not attempting to use a previously used PIN. You cannot log in twice with the same token PIN.
  • The time and time zone on the FortiAuthenticator is correct, and preferably synchronized using NTP.
  • The token is correctly synched with FortiAuthenticator.
To debug when nothing is logged:

If the logs do not include either a failure or a successful authentication logged, it is likely due to one of the following:

  • The request is not reaching the FortiAuthenticator.
    • Verify that any intervening firewalls are permitting the required traffic through the network. RADIUS authentication traffic requires UDP Port 1812 to be open to the FortiAuthenticator and that pseudo-stateful responses are allowed to return.
  • The request is reaching the FortiAuthenticator but is being ignored.
    • If traffic is seen reaching the FortiAuthenticator (e.g. by packet sniffing) but is being ignored, it is likely that the requesting client is not configured in the FortiAuthenticator.
    • Verify that the client is sending the traffic from the expected IP address and not from a secondary IP address or alternative interface. The FortiAuthenticator RADIUS server will not respond to requests from an unknown client for security reasons.

Extended logging

The logs found at Logging > Log Access > Logs provide a summary of events occurring on the system, particularly the information required for audit purposes (e.g. who logged in and where from). When a more detailed view is required in order to troubleshoot issues, detailed system application logs can be found by navigating to https://<FAC IP>/debug.

RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.

From the Service dropdown menu, select RADIUS Authentication, and click Enter debug mode from the toolbar.

Enter the username and password and select OK to test the RADIUS authentication and view the authentication response and returned attributes.

Traffic sniffing

Wireshark can be used to monitor traffic being sent and received to the FortiAuthenticator by setting it to capture traffic on UDP port 1812.

RADIUS packet generation

Testing authentication directly without the use of a NAS device is useful to rule out issues with the client. This is most easily achieved using a tool such as NTRADPing on Windows or radclient on Linux.