Skip to main content
shikhakolekar
Staff
shikhakolekar
Staff
October 31, 2024

Technical Tip: RADIUS authentication with Cisco device acting as Client and FortiAuthenticator as RADIUS server

  • October 31, 2024
  • 0 replies
  • 3111 views

Description


This article describes the common scenario when the authentication fails due to an invalid secret on the RADIUS configuration.

 

Scope

 

FortiAuthenticator, Cisco (Any device which could be used as RADIUS client) eg: Cisco ISE, Cisco ACS, Cisco Router and switches, Cisco Meraki).

 

Solution

 

The configuration required on FortiAuthenticator is as below:

  1. On FortiAuthenticator, navigate to Authentication -> RADIUS Service -> Clients, and select Create New to add the Cisco device as a RADIUS client.
 

Settings on FAC_Radius client1.png

 

 Add the RADIUS policy, and add the group used for authentication, in this example, the group is 'LDAP_AD_GROUP'.

 

Settings on FAC_Radius Policy.png

 

Settings on FAC_Radius Policy1.png

 

  1. To debug on FortiAuthenticator, navigate to https://x.x.x.x/debug, go to Log -> Categories -> RADIUS  -> Authentication, enable Debug Mode, and enable Detailed Debug Mode.
 

The common errors are as below:

 

Unprintable characters in the password

Thu Apr 13 10:19:50 2023 : Info: Dropping packet without response because of error: Received packet from 10.10.10.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Thu Apr 13 10:19:51 2023 : Info: Dropping packet without response because of error: Received packet from 10.10.10.1 with invalid Message-Authenticator! (Shared secret is incorrect.)

 

Or:

 

fac radiusd[21402]: (206) facauth: Updated auth log 'test1': Local administrator authentication with FortiToken failed: invalid password
fac radiusd[21402]: (206) facauth: facauth: print reply attributes of request id 154:
fac radiusd[21402]: (206) [facauth] = reject
fac radiusd[21402]: (206) } # Auth-Type FACAUTH = reject
fac radiusd[21402]: (206) Failed to authenticate the user
fac radiusd[21402]: (206) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! 

 

  1. Using the same secret on both the Cisco RADIUS server and the RADIUS client solves the issue. Unprintable characters may be inserted with a copy-paste action or using special characters, for example, ø,[,ä,æ. See to remove those characters.
    Terms & ConditionsAccessibility statement