Technical Tip: RADIUS server reachability status cache

Description

This article explains the RADIUS server reachability status cache which was introduced in FortiOS 7.4.0.

Scope

FortiOS 7.4.

Solution

When configuring a secondary or tertiary RADIUS server, all FortiOS versions before version 7.4 would always attempt to contact the primary server first, even when it is unreachable. This creates unnecessary delays in user authentication and can even cause authentication failures with some configurations.

To optimize this behavior, FortiOS 7.4.0 introduced the RADIUS server reachability status cache, which helps prevent sending authentication requests to unresponsive RADIUS servers. When FortiOS detects that a primary RADIUS server failed to respond six times consecutively, it will mark the server as unreachable for 5 minutes (set status-ttl 300), during which the server will not be contacted. FortiOS will instead directly contact the secondary or tertiary servers depending on their status.

The current reachability status of RADIUS servers can be obtained with the CLI command 'diagnose test application fnbamd 6'. Each RADIUS server can have one of the bellow three status codes associated with them:

Examples:

Configuration:

The basic configuration of the RADIUS profile with primary, secondary, and tertiary servers configured.

config user radius
    edit "FAC"
        set server "10.109.19.24" # Primary RADIUS server
        set secret fortinet
        set auth-type pap
        set secondary-server "10.109.20.23" # Secondary RADIUS server
        set secondary-secret fortinet
        set tertiary-server "10.211.0.195" # Tertiary RADIUS server
        set tertiary-secret fortinet
        set timeout 5 # Time in seconds to retry connecting to next server.
        set status-ttl 300 # Server reachability cache duration
    next
end

Debug example:

Snippet of FNBAMd debugs output (collected with the command 'diagnose debug application fnbamd -1'), showing an increasing number of connection failures.

# Initiating connection to primary server 10.109.19.24
2023-07-28 10:12:40 [566] fnbamd_rad_make_access_request-
2023-07-28 10:12:40 [329] __create_access_request-Compose RADIUS request
2023-07-28 10:12:40 [549] __create_access_request-Created RADIUS Access-Request. Len: 100.
2023-07-28 10:12:40 [758] __rad_rxtx-Sent radius req to server 'FAC': fd=11, IP=10.109.19.24(10.109.19.24:1812) code=1 id=115 len=100
2023-07-28 10:12:40 [767] __rad_rxtx-Start rad conn timer.

# Since the server did not respond within the configured 5 second timeout period, the connection timed out and the failure counter has been increased (conn_fails 4/5). Since this server already failed to respond four times in a row, it will be marked as unreachable after two more connection timeouts.
2023-07-28 10:12:45 [639] __rad_conn_timeout-Connction with FAC:10.109.19.24 timed out.
2023-07-28 10:12:45 [907] __rad_error-Ret 10, st = 1.
2023-07-28 10:12:45 [296] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
2023-07-28 10:12:45 [930] __rad_error-Conn failed.
2023-07-28 10:12:45 [985] fnbamd_cfg_radius_update_reachability-10.109.19.24, conn_fails 4/5
2023-07-28 10:12:45 [725] __rad_rxtx-fd 11, state 1(Auth)
2023-07-28 10:12:45 [727] __rad_rxtx-Stop rad conn timer.

Current server status:

Example of RADIUS server reachability states.

diag test app fnbamd 6
...
RADIUS servers: (7)
...
FAC (ref=1)
Flags: 0028
Network Protocol: UDP
Timeout: 5
Server '10.109.19.24', port 1812, reachable: 0 (131 secs ago) # The server has been flagged as unreachable 131 seconds ago.
# It will not be used until status-ttl is reached.
Server '10.109.20.23', port 1812, reachable: 1 (119 secs ago) # Server is reachable and last responded 119 seconds ago.
Server '10.211.0.195', port 1812, reachable: -1 (0 secs ago) # Server status is undetermined as it has not yet been contacted.
...