Fortinet’s official documentation, including the FortiOS Handbook and NSE 7 training materials,
provides detailed guidance on troubleshooting RADIUS authentication issues. The three tools listed
below are explicitly supported for diagnosing RADIUS-related problems in FortiOS:
B. You can use the diagnose test authserver radius command to verify RADIUS server configuration,
user credentials, and user group membership.
This command is a well-documented troubleshooting tool in the FortiOS CLI Reference and Technical
Documentation. It allows administrators to manually test RADIUS authentication by specifying the
RADIUS server, username, and password. The output provides details on whether the authentication
succeeds or fails, along with information about group membership and server reachability. For
example:
bash
CollapseWrapCopy
diagnose test authserver radius
This is a critical tool for verifying the RADIUS server's configuration and user authentication flow.
D. You can enable debug for the fnbamd process to view RADIUS authentication details.
The fnbamd process (FortiNet Authentication Daemon) handles non-local authentication protocols
like RADIUS and LDAP in FortiOS. Enabling debug for this process provides real-time logs of the
authentication exchange between the FortiGate and the RADIUS server. This is officially
recommended in Fortinet’s troubleshooting guides for advanced diagnostics. The command
sequence is:
bash
CollapseWrapCopy
diagnose debug application fnbamd -1
diagnose debug enable
After testing, you can disable debugging with diagnose debug disable. This tool is invaluable for
identifying issues such as misconfigured shared secrets, timeouts, or attribute mismatches.
E. You can use the diagnose test application radiusd command to verify the RADIUS server
configuration, user credentials, and user group membership.
The radiusd process relates to the RADIUS daemon on the FortiGate, and this diagnostic command
tests the RADIUS server’s operational status and authentication functionality. While less commonly
highlighted than diagnose test authserver radius, it is referenced in Fortinet’s CLI documentation for
deeper troubleshooting of the RADIUS service itself. It provides detailed output about the server’s
response and can help isolate issues specific to the RADIUS protocol implementation.
Why not A and C?
A. You can enable debug for the fssod process to view RADIUS authentication details.
The fssod process relates to FortiSSO (Single Sign-On) and is primarily used for FSSO-based
authentication, not direct RADIUS troubleshooting. While it may log some authentication-related
events in specific SSO scenarios, it is not a standard tool for RADIUS diagnostics according to
Fortinet’s official documentation. Thus, it is not a correct choice here.
C. You can check the Firewall Users widget to view the list of active RADIUS users.
While the Firewall Users widget (available in the FortiOS GUI under User & Authentication > Firewall
Users) shows a list of authenticated users, it is a monitoring tool, not a troubleshooting tool. It does
not provide diagnostic details about RADIUS authentication failures or server issues, making it
insufficient for this purpose per Fortinet’s troubleshooting methodology.
Source Verification
The answers are derived from official Fortinet resources, including:
FortiOS 7.0 CLI Reference (diagnose commands section)
FortiOS Handbook: Authentication (RADIUS troubleshooting section)
NSE 7 - LAN Edge 7.0 training materials (authentication diagnostics module)
These tools (B, D, E) align with Fortinet’s recommended practices for diagnosing RADIUS
authentication issues effectively.
