Fortinet black logo

Administration Guide

WebUI authentication issues

WebUI authentication issues

When a local or remote administration account login fails, WebUI usually prompts an authentication failure message.

Authentication failure. Please try again…

Possible causes:
  • The local or remote administrator name exists, but the password is wrong;

  • The remote administrator name exists on FortiWeb, but the remote server (User > Remote Server) is not added into the corresponding Admin User Group; that is to say, the member in the selected group in User > User Group > Admin Group is empty.

  • The remote administrator name exists on FortiWeb, but the remote server added into the Admin User Group is not reachable;

  • The remote administrator name exists on FortiWeb, but does not exist on the remote server;

  • For remote users, you can capture packets on FortiWeb to see if auth query is sent to the remote server, or check error logs on the remote server to find possible reasons;

  • For remote users, you can click the "Test LDAP", "Test Radius" or "Test TACACS+" button in User > Remote Server > LDAP/Radius/TACACS+ Server to test if the remote user/administrator can be verified successfully.

If the test fails, the Test page will display an error message that can help to make a quick judgment about the possible cause. Possible Cause are listed as below.

Radius Server:

  • Invalid credentials: Unsupported Authentication Scheme configured, or used incorrect username or password to test;

  • Failed to receive RADIUS response: Unreachable server IP/Domain or port configured;

  • Bad response from RADIUS server: Incorrect Server Secret configured;

  • Radius server auth failed: Usually occurs when the remote user is set up with an OTP authentication but the Test does not support doing OTP verification in a pop-up window at present. (e.g. FortiToken, Email, EMS, etc.).

LDAP Server:

  • Failed to connect to LDAP server: Incorrect server IP / Domain or port configured;

  • Failed to search user DN: Incorrect Common Name Identifier, Distinguished Name or Filter configured; or correct LDAP server configuration, but used an incorrect username to test;

  • Failed to bind LDAP server: Correct LDAP server configuration, but used an incorrect password (correct username) to test;

  • Failed to login to LDAP server: Incorrect User DN or Password configured.

TACACS+ Server:

  • Invalid Credentials: Incorrect Server Secret configured; used an incorrect username or password to test, or the remote user is set up with an OTP authentication (e.g. FortiToken, Email, EMS, etc.);

  • Server test error: Unreachable server IP/Domain configured.

The "Test LDAP", "Test Radius", or "Test TACACS+" button does not work when the remote user is set up on FortiAuthentication with an OTP authentication method such as FortiToken, because OTP auth requires to input the challenge code but the Test window does not support redirecting to a new window.

Invalid username or password

Possible causes:
  • The local administrator name does not exist on FWB.

  • The local or remote administrator name exists on FWB, but the password is incorrect.

WebUI authentication issues

WebUI authentication issues

When a local or remote administration account login fails, WebUI usually prompts an authentication failure message.

Authentication failure. Please try again…

Possible causes:
  • The local or remote administrator name exists, but the password is wrong;

  • The remote administrator name exists on FortiWeb, but the remote server (User > Remote Server) is not added into the corresponding Admin User Group; that is to say, the member in the selected group in User > User Group > Admin Group is empty.

  • The remote administrator name exists on FortiWeb, but the remote server added into the Admin User Group is not reachable;

  • The remote administrator name exists on FortiWeb, but does not exist on the remote server;

  • For remote users, you can capture packets on FortiWeb to see if auth query is sent to the remote server, or check error logs on the remote server to find possible reasons;

  • For remote users, you can click the "Test LDAP", "Test Radius" or "Test TACACS+" button in User > Remote Server > LDAP/Radius/TACACS+ Server to test if the remote user/administrator can be verified successfully.

If the test fails, the Test page will display an error message that can help to make a quick judgment about the possible cause. Possible Cause are listed as below.

Radius Server:

  • Invalid credentials: Unsupported Authentication Scheme configured, or used incorrect username or password to test;

  • Failed to receive RADIUS response: Unreachable server IP/Domain or port configured;

  • Bad response from RADIUS server: Incorrect Server Secret configured;

  • Radius server auth failed: Usually occurs when the remote user is set up with an OTP authentication but the Test does not support doing OTP verification in a pop-up window at present. (e.g. FortiToken, Email, EMS, etc.).

LDAP Server:

  • Failed to connect to LDAP server: Incorrect server IP / Domain or port configured;

  • Failed to search user DN: Incorrect Common Name Identifier, Distinguished Name or Filter configured; or correct LDAP server configuration, but used an incorrect username to test;

  • Failed to bind LDAP server: Correct LDAP server configuration, but used an incorrect password (correct username) to test;

  • Failed to login to LDAP server: Incorrect User DN or Password configured.

TACACS+ Server:

  • Invalid Credentials: Incorrect Server Secret configured; used an incorrect username or password to test, or the remote user is set up with an OTP authentication (e.g. FortiToken, Email, EMS, etc.);

  • Server test error: Unreachable server IP/Domain configured.

The "Test LDAP", "Test Radius", or "Test TACACS+" button does not work when the remote user is set up on FortiAuthentication with an OTP authentication method such as FortiToken, because OTP auth requires to input the challenge code but the Test window does not support redirecting to a new window.

Invalid username or password

Possible causes:
  • The local administrator name does not exist on FWB.

  • The local or remote administrator name exists on FWB, but the password is incorrect.