FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
This article describes what is causing the "NULL password is not allowed" error in RADIUS debug and how it can be fixed.
fortiauth radiusd[23159]: (3) facauth: Remote ldap user 'test': NULL password is not allowed ... fortiauth radiusd[23159]: (3) facauth: Updated auth log 'test': Remote LDAP user authentication(mschap) with no token failed: invalid password
This error is caused by an authentication method mismatch between the parties involved in this transaction (ex: FortiGate/supplicant sends MSCHAPv2 but FortiAuthenticator and/or remote server supports PAP only). The supplicant is sending a hash of the password, and the server is expecting the actual pass. That will result in an 'invalid password' error.
Scope
FortiAuthenticator 6.X.
Solution
MSCHAPv2 is supported by the FortiAuthenticator, but it might not be enabled because:
1) If the FortiAuthenticator is not joined to the domain, then make it join the domain. 2) MSCHAPv2 is not configured/enabled on the RADIUS policy - Password/OTP authentication/EAP-MSCHAPv2, then enable it. 3) 'Use Windows AD domain authentication' is disabled on the RADIUS policy, then enable it. 4) MSCHAPv2 is not supported by the remote server, which could be the case if the remote LDAP service is not a Microsoft Windows-based LDAP server.
Make sure the radius client/supplicant is using the same method as the radius server. With default FortiGate settings, it should work.
# config user radius set auth-type auto end
OR:
# config user radius set auth-type pap end
Make sure the RADIUS server supports the method the client/supplicant is using. Check the 4 possible reasons that would prevent that.
