Description
This article describes the common scenario when the authentication fails due to an invalid secret on the RADIUS configuration.
Scope
FortiAuthenticator, Cisco(Any device which could act as a RADIUS server eg: Cisco ISE, Cisco ACS, Cisco Router and switches, Cisco Meraki).
Solution
The configuration required on FortiAuthenticator is as below:
- On FortiAuthenticator, navigate to Authentication -> RADIUS Service -> Clients, and select Create New to add the Cisco device as a RADIUS client.
Add the RADIUS policy, and add the group used for authentication, in this example, the group is 'LDAP_AD_GROUP'.
- To debug on FortiAuthenticator, navigate to https://x.x.x.x/debug, go to Log -> Categories -> RADIUS -> Authentication, enable Debug Mode, and enable Detailed Debug Mode.
The common errors are as below:
Unprintable characters in the password
Thu Apr 13 10:19:50 2023 : Info: Dropping packet without response because of error: Received packet from 10.10.10.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Thu Apr 13 10:19:51 2023 : Info: Dropping packet without response because of error: Received packet from 10.10.10.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Or:
fac radiusd[21402]: (206) facauth: Updated auth log 'test1': Local administrator authentication with FortiToken failed: invalid password
fac radiusd[21402]: (206) facauth: facauth: print reply attributes of request id 154:
fac radiusd[21402]: (206) [facauth] = reject
fac radiusd[21402]: (206) } # Auth-Type FACAUTH = reject
fac radiusd[21402]: (206) Failed to authenticate the user
fac radiusd[21402]: (206) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
- Using the same secret on both the Cisco RADIUS server and the RADIUS client solves the issue. Unprintable characters may be inserted with a copy-paste action or using special characters, for example, ø,[,ä,æ. See to remove those characters.
