Troubleshooting Tips: FortiNDR failed to login using RADIUS Authentication after 1 failed login attempt

Description

This article describes how to troubleshoot FortiNDR failing to log in with RADIUS Authentication after 1 failed login attempt, using FortiAuthenticator as the RADIUS server.

Scope

FortiNDR.

Solution

When FortiAuthenticator is configured as a RADIUS server for FortiNDR administrator logins, a single failed login attempt triggers a 60-second lockout. During this period, subsequent login attempts will fail even if the correct credentials are provided.

FortiAuthenticator is logging multiple authentication requests for a single user, even though only one failed login attempt actually occurred.

After 3 login attempts failed, the message showed too many failed login attempts, and the IP address is locked for 60 seconds.

This issue is because FortiAuthenticator is set to lock out the IP after 3 failed login attempts for 60 seconds. The setting can be checked at the User Account Policies -> Lockouts.

In FortiNDR, if the RADIUS protocol is set to use ‘Default Authentication Scheme’, it will try to use each of the protocols when the login attempt fails. That is why the multiple login attempt failed can be observed in the FortiAuthenticator logs.