FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes why FortiGate Radius authentication may fail with Microsoft NPS as a Radius server.
Scope
FortiGate.
Solution
The setup is as follows:
FortiGate is configured as a Radius Client.
Microsoft NPS is configured as a Radius server.
The following details are being used to log in:
user: test
password: ä12345
When trying to use accented characters as above in the password, the authentication fails.
[1329] __fnbamd_rad_send-Sent radius req to server 'Rad_server': fd=14, IP=10.10.1.193(10.10.1.193:1812) code=1 id=17 len=181 user="test" using MS-CHAPv2 [320] radius_server_auth-Timer of rad 'Rad_server' is added [596] create_auth_session-Total 1 server(s) to try [1388] fnbamd_auth_handle_radius_result-Timer of rad 'Rad_server' is deleted [1797] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3 [416] extract_chap_error-CHAP err: E=691 R=0 V=3 [1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'Rad_server' 10.10.1.193(1) is 1 [217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1602112804, len=3084
This is a limitation for the Microsoft NPS where accented characters if used in passwords will lead to this limitation. The same occurs with symbols like the euro €.
Microsoft NPS is not encoding Radius passwords in UTF-8. It is instead encoding it in Extended ASCII. Since it is not complying with RFC2865, the FortiGate authentication daemon would receive a password that would be a mismatch and authentication would fail.
Note:
If using Microsoft NPS with FortiGate as a Radius server, it is advised to not use any accented characters or special symbols in the password. Strictly use Symbols and punctuation of ISO-8859-1
