Troubleshoot the Fortinet Application integration

You can use the Fortinet command line interface (CLI) to debug issues.

Attempt to Authenticate and Review Messages from the Console

Attempt to authenticate failed.

From the CLI console, run the following commands:

# diag debug application fnbamd 7
# diag debug enable

Unsuccessful Results Sample

Bad User or Bad Credentials

[1943] handle_req-Rcvd auth req 1189741811 for baduser in 
       Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12,  IP=10.20.251.19 code=1 
       id=135 len=122 user="baduser" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 1
[180] fnbamd_comm_send_result-Sending result 1 
       (error 0) for req 1189741811
[602] destroy_auth_session-delete session 1189741811
[1943] handle_req-Rcvd auth req 1189741812 for baduser 
       in Special1 opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[304] radius_start-Didn't find radius servers (0)
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[452] create_auth_session-Error starting authentication
[1962] handle_req-Error creating session
[180] fnbamd_comm_send_result-Sending result 3 
      (error 0) for req 1189741812

Successful Results Samples

Good Credentials Entered and Challenge Received

[1943] handle_req-Rcvd auth req 1189741817 for test in Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-test
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 code=1 
       id=143 len=119 user="test" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS 
       resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result 
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending 
      result 2 (error 0) for req 1189741817

Security Question Selected for Challenge Method

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=144 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending result 2 
      (error 0) for req 1189741817

Security Question Answered Successfully

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=145 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2580] fnbamd_auth_handle_radius_result-->Result
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 0
[2611] fnbamd_auth_handle_radius_result-Skipping 
       group matching
[863] find_matched_usr_grps-Skipped group matching
[180] fnbamd_comm_send_result-Sending result 0 
       (error 0) for req 1189741817
[602] destroy_auth_session-delete session 1189741817
[2251] handle_req-Rcvd 7 req
[301] fnbamd_acct_start_START-Error starting acct
[1288] create_acct_session-Error start acct type 7
[2265] handle_req-Error creating acct session 7

Successful Sign Out

[2251] handle_req-Rcvd 8 req
[359] fnbamd_acct_start_STOP-Error starting acct
[1288] create_acct_session-Error start acct type 8
[2265] handle_req-Error creating acct session 8

Capture Packets

Administrators need to capture packets.

From the CLI Console, run the following command:

# diag sniffer packet any 'port 1812' 6 0 a

Substitute the port used with the UDP Port configured in your environment.