"Issue Resolving Urgency is high." :-) So you have a support contract and did open TAC ticket, and got that resolved already, right?
Otherwise you haven't figured out that Forum is basically users-to-users support and we are helping here on voluntary basis.
What would definitely help you and us to assess situation is:
- software versions on both ends, FortiGate and FortiAuthenticator
- FortiOS debug output 'diag debug application fnbamd 7
' .. as that's the daemon responsible for almost all outer auth then debug might suggest
- another hint might come from packet capture, like .. diag sniff pack any 'host <your-secret-FAC-IP> and port not 8000' 4 0 a
To see at least if there is any request and response, or better with verbosity 6 instead of 4, or use GUI Packet capture, ideally on both ends to confirm traffic is flowing unchanged so there is no middle man/firewall there.
Ideally there is supposed to be test RADIUS Access-Request from FGT to FAC with User-Name=test01 , followed by RADIUS response, probably Access-Reject .. to simply check there IS RADIUS service running on FAC
- if single factor (password based probably) auth via FAC is working and 2FA is not, then it might be separate issue and I would suggest to have a look to respective RADIUS Service Policy on FAC.
-- Is your requests matching right/intended policy (as order of the policies does matter)?
-- Isn't there set "Password-only authentication" in side of 'Authentication factors'?
-- Does the test user even have any 2FA set?
- how is the authentication "for remote RADIUS users." set on FGT, all the requests goes to FAC, or are there locally defined users on FGT with 'set type radius
' and pointing to FAC, if so then is the used username matching the record on FGT, because by default is FGT case-sensitive (as any Unix system). And that could be overriden in user config via 'set username-case-sensitivity'
. As that's one of common caveats where non matching username + remote server in the same user-group on FGT (or worst: radius server on FGT with 'set all-usergruop enable
') makes unintended fallback to remote server and avoid 2FA this way. But that's configuration mistake.
- on FAC check that FGT is properly set as RADIUS Service Client and used in some Policy, as FAC will NOT respond to anyone without being set as known Client first!
- and lately, check on FAC side .. GUI logs, and in GUI debug https://<FAC-IP>/debug/radius/
even basic output there might provide some hints and you can even turn RADIUS server to debug mode for increased verbosity of the log (I would not keep it in debug mode for normal operations so turn it off after troubleshooting).