Technical Tip: Multiple failed attempts with 3rd party Radius server or FortiAuthenticator.
Description
This article describes why 3rd party Radius server received multiple failed attempts from user authenticating.
Related document:
Scope
FortiGate.
Solution
By default, when Radius authentication is configured, it will use the authentication protocol as 'auto' (GUI setting called 'Default').
config user radius
(radius)edit RAD <----- New entry 'RAD' added.
(RAD)set auth-type
In GUI:
auto <----- Use PAP, MS_CHAP_v2, and CHAP (in that order).
ms_chap_v2 <----- Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap <----- Microsoft Challenge Handshake Authentication Protocol.
chap <----- Challenge Handshake Authentication Protocol.
pap <----- Password Authentication Protocol.
When 'auth-type' is set to 'auto', FortiGate will use PAP, MS_CHAPv2, and CHAP (in that order).
So it will use all 3 protocols when connecting to the Radius server.
If the Radius server is configured to limit the failed attempts, then the wrong protocol will be counted as a failed attempt.
Eventually, user will be rejected to authenticate.
To resolve this, configure manually the right protocol that is used by the Radius server. Typically PAP is a good choice. If the RADIUS server or FortiAuthenticator is domain joined, typically MS-CHAP-V2 is a good choice (it depends on the implementation).
The configuration for example, when using PAP:
config user radius
(radius) # edit RAD
(RAD) # set auth-type pap