Description
When a RADIUS or TACACS+ server is added to the FortiGate and a connectivity test is performed, an authentication failure for the user 'test01' may be seen in packet captures or logs from remote servers.
This article explains the behavior of the Test Connectivity tool for RADIUS and TACACS+ server on FortiGate’s GUI.
Scope
FortiGate, RADIUS, TACACS+.
Solution
FortiGate uses the username 'test01' and password 'test01' to check RADIUS and TACACS+ server connectivity.
FortiGate will generate the authentication request when test connectivity is checked. In that request, 'test01' will be the username.
To test connectivity in RADIUS, navigate to User & Authentication -> RADIUS Servers -> Edit Server -> Select Test Connectivity.
The following packet capture was taken while running Test Connectivity. It shows the username sent by the FortiGate as 'test01' and the password as 'test01':
To test connectivity for TACACS+, navigate to User & Authentication > TACACS+ Servers > Edit Server > Select Test.
The following packet capture was taken while running Test Connectivity. It shows the username sent by the FortiGate as 'test01' and the password as 'test01':
As there may not be any user configured name 'test01' and password 'test01' the authentication may fail on the servers. However, based on the response received, the firewall will note that the attempt to connect was successful if it was able to read the response message. If the firewall was unable to read the response message, it will display that connectivity failed.
Note: The passwords on both the RADIUS and TACACS+ servers can only be seen by decrypting the packets with the shared secret and encryption key respectively on Wireshark.
Related Documents
Troubleshooting Tip: Decrypt RADIUS and TACACS+ packets using Wireshark
