FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Description This article describes why FortiGate Radius authentication may fail with Microsoft NPS as Radius server.

Scope

Fortigate

Solution

The setup is as follow: 

 

1. FortiGate is configured as Radius Client.

2. Microsoft NPS is configured as a Radius server.

3. Following details are being used to log in: 

 

user: test

password: ä12345

 

When trying to use accented characters as above in the password, the authentication fails. 

 

[1329] __fnbamd_rad_send-Sent radius req to server 'Rad_server': fd=14, IP=10.10.1.193(10.10.1.193:1812) code=1 id=17 len=181 user="test" using MS-CHAPv2
[320] radius_server_auth-Timer of rad 'Rad_server' is added
[596] create_auth_session-Total 1 server(s) to try
[1388] fnbamd_auth_handle_radius_result-Timer of rad 'Rad_server' is deleted
[1797] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[416] extract_chap_error-CHAP err: E=691 R=0 V=3
[1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'Rad_server' 10.10.1.193(1) is 1
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1602112804, len=3084

 

This is a limitation for the Microsoft NPS where accented characters if used in passwords will lead to this limitation. 

 

Explained here: 

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

From the link: Network Policy Server (NPS) does not support the use of the Extended ASCII characters within passwords.

Microsoft NPS is not encoding Radius passwords in UTF-8. It is instead encoding it in Extended ASCII. Since it is not complying with RFC2865, the FortiGate authentication daemon would receive a password that would be a mismatch and authentication would fail. 

 

Note: If using Microsoft NPS with FortiGate as Radius server, it is advised to not use any accented characters in the password.

 

Contributors