| Description | This article describes an issue where the FortiGate is unable to contact the RADIUS server even though the message-authenticator attribute is enabled on both the NPS server and the FortiGate. |
| Scope |
FortiGate v7.2.10+, v7.4.5+ and v7.6.1+ and FortiProxy v7.4.6+, v7.6.0+. |
| Solution |
With the introduction of the message authenticator attribute in recent FortiOS firmware versions, there could be issues connecting a FortiGate to a RADIUS server.
This is usually due to either the FortiGate or RADIUS side not supporting or enabling this attribute. For these kinds of cases, refer to the following article: Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...
But, in a case where the attribute is enabled on both sides (Windows NPS and the FortiGate), and connectivity has been confirmed, then a possible cause could be this error on the NPS server:
An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid.
If this error is seen even with the attribute correctly enabled, then the issue is normally the shared secret between the FortiGate and the NPS server. Changing or confirming the secret should resolve it. |
