Skip to main content
scitlak
Staff
scitlak
Staff
September 26, 2024

Technical Tip: How to configure FortiNAC to send the 'Message-Authenticator' attribute in Access-Accept message through RADIUS Authentication

  • September 26, 2024
  • 0 replies
  • 4333 views
Description This article describes how to fix the 'Authentication Failure' issue due to the missing 'Message-Authenticator' attribute that is mandatory with FortiOS v7.2.10 or v7.4.5.
Scope FortiNAC, FortiNAC-F.
Solution

In case of a RADIUS Authentication with EAP, FortiNAC will send 'Access-Accept', 'Access-Reject', or 'Access-Challenge' messages with the 'Message-Authenticator' attribute. However, when MAB is in use, the 'Message-Authenticator' attribute will not be sent by FortiNAC by default, and authentication will fail with FortiOS v7.2.10 or v7.4.5. 
If 'fnbamd' debug log is enabled in FortiGate, the below debug logs can be observed.

 

[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest

By following the steps below, the 'Message-Authenticator' can be enabled for MAB.

  1. Under Network -> RADIUS ->Attributes Groups -> Select the Attribute Group that is already in use under Devices Model Configuration and select 'Modify'.
  2. In the left Window, filter the Attributes, find the 'Message-Authenticator' attributes, and move them to the right window.
                                                 
    26.09.2024_13.16.40_REC.png                                                        

  3. Select the 'Response Values' field and keep it empty, as shown below. Then Select OK.
                                                    
    26.09.2024_13.17.18_REC.png                                                               

  4. Check the RADIUS Authentication and enable packet capture. The FortiNAC will send the 'Message-Authenticator' attribute with the Access-Accept message. 
                                                     
    26.09.2024_12.35.47_REC (1).png                                                                       

  5.  Check the Authentication Status on FortiGate CLI and confirm it is Authorized.


26.09.2024_12.40.31_REC.png

 

Note: Since the FortiGate test Radius request with username test01 will not match any 'Network Access Policy' and 'Logical Network', and FortiGate does not use EAP for test 'Radius-Request', FortiNAC will send an 'Access-Accept' without any additional RADIUS Attributes. As a consequence, FortiGate will still state an 'Invalid secret for the server'.


26.09.2024_12.43.44_REC.png

26.09.2024_13.43.55_REC.png

 

2nd option:
Upgrade FortiNAC to v7.2.8, v7.4.1, v7.6.0 GA or above.
    Terms & ConditionsAccessibility statement