Dépanner l'intégration de l'application Fortinet

Pour déboguer les problèmes, vous pouvez vous servir de l'interface de ligne de commande (CLI) de Fortinet.

Essayez de vous authentifier et d'examiner les messages depuis la console

La tentative d'authentification a échoué.

Depuis la console CLI, exécutez les commandes suivantes : 

# diag debug application fnbamd 7
# diag debug enable

Exemples de résultats infructueux

Informations d'identification ou utilisateur incorrects


[1943] handle_req-Rcvd auth req 1189741811 for baduser in 
       Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12,  IP=10.20.251.19 code=1 
       id=135 len=122 user="baduser" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 1
[180] fnbamd_comm_send_result-Sending result 1 
       (error 0) for req 1189741811
[602] destroy_auth_session-delete session 1189741811
[1943] handle_req-Rcvd auth req 1189741812 for baduser 
       in Special1 opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[304] radius_start-Didn't find radius servers (0)
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[452] create_auth_session-Error starting authentication
[1962] handle_req-Error creating session
[180] fnbamd_comm_send_result-Sending result 3 
      (error 0) for req 1189741812

Exemples de résultats corrects

Informations d'identification correctes et vérification reçue


[1943] handle_req-Rcvd auth req 1189741817 for test in Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-test
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 code=1 
       id=143 len=119 user="test" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS 
       resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result 
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending 
      result 2 (error 0) for req 1189741817

Mode de vérification choisi : question de sécurité


[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=144 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending result 2 
      (error 0) for req 1189741817

Bonne réponse à la question de sécurité


[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=145 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2580] fnbamd_auth_handle_radius_result-->Result
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 0
[2611] fnbamd_auth_handle_radius_result-Skipping 
       group matching
[863] find_matched_usr_grps-Skipped group matching
[180] fnbamd_comm_send_result-Sending result 0 
       (error 0) for req 1189741817
[602] destroy_auth_session-delete session 1189741817
[2251] handle_req-Rcvd 7 req
[301] fnbamd_acct_start_START-Error starting acct
[1288] create_acct_session-Error start acct type 7
[2265] handle_req-Error creating acct session 7

Déconnexion réussie


[2251] handle_req-Rcvd 8 req
[359] fnbamd_acct_start_STOP-Error starting acct
[1288] create_acct_session-Error start acct type 8
[2265] handle_req-Error creating acct session 8

Capture de paquets

Les administrateurs doivent capturer des paquets.

Depuis la console CLI, exécutez les commandes suivantes :


# diag sniffer packet any 'port 1812' 6 0 a

Remplacez le port utilisé par le port UDP configuré dans votre environnement.

Exemples de résultats infructueux

Informations d'identification ou utilisateur incorrects

Exemples de résultats corrects

Informations d'identification correctes et vérification reçue

Mode de vérification choisi : question de sécurité

Bonne réponse à la question de sécurité