Radius connection does not work anymore after upgrading from 7.2.9 to 7.2.10

Hi Martin

This is due to a new RADIUS vulnerability.

https://www.fortiguard.com/psirt/FG-IR-24-255

If I'm not wrong the solution is to use RADSEC.

Additionally you may check this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-the/ta-p/343112

Thanks for your quick answer!
Martin

Hold on. I had the opposite experience, it didn't work when FGT was 7.2.9 and the freeRADIUS was upgraded to the latest. So I had to exempt the FGT from Message-Authenticator attribute check as I posted before.
https://community.fortinet.com/t5/Support-Forum/RADIUS-attribute-Message-Authenticator/td-p/327120

So do you have this "require_message_authenticator = no" flag set? I would assume it would still work with 7.2.10 with this exception. Or you might need to upgrade the freeRADIUS to the latest.

Toshi

But your error is different from my case. Does it fail if you create a new user/set a new credential and try connecting VPN? Run "radiusd -X" to check the detail when it fails.

Toshi

Hi, please make sure your free radius is one of this version 3.0.26, 3.2.3, 3.2.5, 3.2.6. as these are working with FortiGate

By the way, mine is 3.0.25 and working fine with 7.2.10.

Toshi

Hi Toshi, Rahman

Does it mean RADSEC is not mandatory?

RADSEC is to just encrypt/encapsulate RADIUS UDP traffic in TLS, which is not available with 7.2.x anyway. As long as the server side can handle/reply FGT's auth request message with Message-Authenticator attribute, which most recent/decent servers do, it should work fine.

Or, RADSEC is more to address the security issue if the unencrypted RADIUS traffic goes over the internet.

Toshi