Explorer

Solved

Unable to authenticate radius users

Forum|Forum|2 years ago
March 19, 2024
3 replies
14120 views

Greetings,

I am configuring RADIUS authentication on my Fortigate 101F running FortiOS Version 7.4.3.

The Microsoft NPS Server has been configured according to this guide.

My radius configuration is as follows:

config user radius
edit "RADIUS"
set server "172.16.9.3"
set secret PSK
set nas-ip x.x.x.x
set auth-type ms_chap_v2
set source-ip "x.x.x.x"
next
end

The connection between the Fortigate and the NPS is successful, but test user credentials test fails.

The CLI test output is as follows:

diagnose test authserver radius RADIUS mschap2 user password
authenticate 'user' against 'mschap2' failed, assigned_rad_session_id=1486429090 session_timeout=0 secs idle_timeout=0 secs!

Running a packet capture between the Firewall and the Radius Server I get an access-reject response with the following MS-CHAP error

Code: 3
ID: 190
Length: 42
Auth: 91 C7 F9 28 0A 50 59 33 13 39 B3 75 58 04 AC EE
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: '<00>E=649 R=0 V=3'

Any insight would be much appreciated.

Thanks in advance.

Best answer by pminarik

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

AEK

SuperUser

Hi

Can you test user credentials by entering "domain\user" as user instead of "user"?

AEK

turiprivAuthor

Explorer

Hi,

yes I tried that too, but unfortunatelly I got the same error message.

pminarik

Staff

From MS-CHAPv2 RFC 2759.

649 ERROR_NO_DIALIN_PERMISSION

This is related to the "dial-in" property of AD users.

You can edit that in each user's Properties > Dial-in tab. (allow | deny | control based on NPS policy)

You can also set the Network Policy in NPS itself to ignore the dialin property. (Overview tab, section "Access Permission").

turiprivAuthor

Explorer

Hi,

thank you for your feedback and sorry for my late reply. Unfortunately, both the options you pointed out are already selected in the NPS.

pminarikAnswer

Staff

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

turiprivAuthor

Explorer

Greetings everyone,

for some reason I fail to understand, the NPS event viewer was not displaying any error messages whatsoever.

Anyway, what I found out is that there was indeed a mismatch in policy due to an incorrect policy ordering.

Once the Fortinet-related policy was ranked-up everything warked fine.

Thanks everyone for your insight.

amg7

Visitor III

Hello, can you tell me what you did to solve it? Do you mean the policies in the Fortinet or the NPS policies?

Thanks
Regards

turiprivAuthor

Explorer

Sorry for this very late reply. The issue was the policy ordering in the NPS server. Once the appropriate oerder was set up, authentication was succesful.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded