Troubleshooting – FortiAuthenticator 4.0


This chapter provides suggestions to resolve common problems encountered while configuring and using your FortiAuthenticator device, as well as information on viewing debug logs.

For more support, contact Fortinet Customer Service & Support (

Before starting, please ensure that your FortiAuthenticator device is plugged in to an appropriate, and functional, power source.


The following table describes some of the basic issues that can occur while using your FortiAuthenticator device, and suggestions on how to solve said issues.

Problem Suggestions
All user log in attempts fail, there is no response from the FortiAuthenticator device, and there are no entries in the system log. l  Check that the authentication client has been correctly configured. See Adding a FortiAuthenticator unit to your network on page 16. If the authentication client is not configured, all requests are silently dropped.

l  Verify that traffic is reaching the FortiAuthenticator device.

Is there an intervening Firewall blocking 1812/UDP RADIUS Authentication traffic, is the routing correct, is the authentication client configured with correct IP address for the FortiAuthenticator unit, etc.

All user log in attempts fail with the message RADIUS ACCESS-REJECT, and

invalid password shown in the logs.

l Verify that the authentication client secrets are identical to those on the FortiAuthenticator unit.
Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid password shown in the logs. l  Reset the user’s password and try again. See Editing a user on page 60.

l  Have the user privately show their password to the administrator to check for unexpected characters (possibly due to keyboard regionalization issues).


Troubleshooting                                                                                                                                Debug logs

Problem Suggestions
Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid token shown in the logs. l  Verify that the user is not trying to use a previously used PIN. Tokens are One Time Passwords, so you cannot log in twice with the same PIN.

l  Verify that the time and timezone on the FortiAuthenticator unit are correct and, preferably, synchronised using NTP. See Configuring the system time, time zone, and date on page 27.

l  Verify that the token is correctly synchronized with the

FortiAuthenticator unit, and verify the drift by synchronizing the token. See FortiToken drift adjustment on page 75.

l  Verify the user is using the token assigned to them (validate the serial number against the FortiAuthenticator unit configuration). See User management on page 57.

l  If the user is using an e-mail or SMS token, verify it is being used within the valid timeout period. See Lockouts on page 55.

Debug logs

Extended debug logs can be accessed by using your web browser to browse to https://<FortiAuthenticator IP Address>/debug.

Debug logs                                                                                                                                Troubleshooting

Service Select the service whose logs are shown from the drop-down list: l FSSO Agent l GUI l HA l LDAP

l  RADIUS Accounting l RADIUS Authentication


l  Startup l Web Server

Enter debug mode If RADIUS Authentication is selected as the service, the option to enter the debug mode is available. See RADIUS debugging on page 161.
Search Enter a search term in the search field, then select Search to search the debug logs.
Page navigation Use the First Page, Previous Page, Next Page, and Last Page icons to navigated through the logs.
Show Select the number of lines to show per page from the drop-down list. The options are: 100 (default), 250, and 500.

RADIUS debugging

RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.

In the debug logs screen, select RADIUS Authentication from the Service drop-down list, then select Enter debug mode from the toolbar.

Enter the username and password then select OK to test the RADIUS authentication and view the authentication response and returned attributes.

Select Exit debug mode to deactivate the debugging mode.

This entry was posted in Administration Guides, FortiAuthenticator and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.