Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help, contact customer support. See Troubleshooting on page 159 for more information.
If you have issues when attempting authentication on a FortiGate unit using the FortiAuthenticator, there are some FortiAuthenticator and FortiGate settings to check.
In addition to these settings you can use log entries, monitors, and debugging information to determine more knowledge about your authentication problems. For help with FortiAuthenticator logging, see Logging on page 154. For help with FortiGate troubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication guides chapters.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure that:
l there is an authentication client entry for the FortiGate unit. See RADIUS service on page 91, l the user trying to authenticate has a valid active account that is not disabled, and that the username and password are spelled correctly,
CLI commands
- the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit, l the FortiGate unit can communicate with the FortiAuthenticator unit, on the required ports:
RADIUS Authentication: UDP/1812
LDAP: TCP/389 l the user account exists l as a local user on the FortiAuthenticator (if using RADIUS authentication), l in the local LDAP directory (if using local LDAP authentication), l in the remote LDAP directory (if using RADIUS authentication with remote LDAP password validation),
- the user is a member in the expected user groups and these user groups are allowed to communicate on the authentication client (the FortiGate unit, for example),
- If authentication fails with the log error bad password, try resetting the password. If this fails, verify that the preshared secret is identical on both the FortiAuthenticator unit and the authentication client.
If FortiToken authentication is failing, try the following:
- Verify that the token is correctly synchronized.
- Remove the token from the user authentication configuration and verify authentication works when the token is not present. l Attempt to log into the FortiAuthenticator with the user credentials.
These steps enable the administrator to identify whether the problem is with the FortiGate unit, the credentials or the FortiToken.
FortiGate settings
When checking FortiGate authentication settings, you should ensure that:
l the user has membership in the required user groups and identity-based security policies, l there is a valid entry for the FortiAuthenticator device as a remote RADIUS or LDAP server, l the user is configured either explicitly or as a wildcard user.
CLI commands
The FortiAuthenticator has CLI commands that are accessed using SSH or Telnet. Their purpose is to initially configure the unit, perform a factory reset, or reset the values if the GUI is not accessible.
| Command | Description | |
| help | Display list of valid CLI commands. You can also enter ? for help. | |
| exit | Terminate the CLI session. | |
| Command | Description | |
| show | Display bootstrap configuration. |
CLI commands
| Command | Description |
| set port1-ip
<IP/netmask> |
Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example 192.168.0.1/24. Once this port is configured, you can use the GUI to configure the remaining ports. |
| set default-gw <IP> | Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface. |
| set date <YYYY-MM-DD> | Enter the current date. Valid format is four digit year, two digit month, and two digit day. For example: set date 2014-08-12 sets the date to August 12th, 2014. |
| set time <HH:MM:SS> | Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm. |
| set tz <timezone_ index> | Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz ?. |
| set ha-mode
{enable | disable} |
Enable or disable (default) HA mode. |
| set ha-port
<interface> |
Select a network interface to use for communication between the two cluster members. This interface must not already have an IP address assigned and it cannot be used for authentication services.
Both units must use the same interface for HA communication. |
| set ha-priority
{high | low} |
Set to Low on one unit and High on the other. Normally, the unit with High priority is the master unit. |
| set ha-password <password> | Set the HA password. |
| set ha-mgmt-ip
<IP/netmask> |
Enter the IP address, with netmask, that this unit uses for HA related communication with the other FortiAuthenticator unit. Format:
1.2.3.4/24. The two units must have different addresses. Usually, you should assign addresses on the same private subnet. |
| set ha-mgmt-access
{ssh | https | http | telnet} |
Select the types of administrative access to allow. |
| set ha-dbg-level <level> | Enter the level for HA service debug logs. Range: -4 (fatal) to 4 (debug high). Default: -2 (warn). |
| unset <setting> | Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip. |
CLI commands
| Command | Description |
| raid-add-disk <slot> | Add a disk to a degraded RAID array. |
| Command | Description |
| ha-rebuild | Rebuild the configuration database from scratch using the HA peer’s configuration. |
| restore-admin | Restore factory reset’s admin access settings to the port1 network interface. |
| reboot | Perform a hard restart of the FortiAuthenticator unit. All sessions will be terminated. The unit will go offline and there will be a delay while it restarts. |
| factory-reset | Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database. This procedure deletes all changes that you have made to the
FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses. |
| shutdown | Turn off the FortiAuthenticator. |
| status | Display basic system status information including firmware version, build number, serial number of the unit, and system time. |
| Command | Description |
| hardware-info | Display general hardware status information. |
| disk-attributes | Display system disk attributes. |
| disk-errors | Display any system disk errors. |
| disk-health | Display disk health information. |
| disk-info | Display disk hardware status information. |
| raid-hwinfo | Display RAID hardware status information. |
| Command | Description |
| nslookup | Basic tool for DNS debugging. |
| dig | Advanced DNS debugging. |
| ping | Test network connectivity to another network host. |
CLI commands
| Command | Description |
| tcpdump | Examine local network traffic. |
| tcpdumpfile | Same as tcpdump, but the output is written to a downloadable file that can be downloaded in the GUI. |
| traceroute | Examine the route taken to another network host. |