FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes why FortiGate Radius authentication may fail with Microsoft NPS as Radius server.




The setup is as follow: 


1. FortiGate is configured as Radius Client.

2. Microsoft NPS is configured as a Radius server.

3. Following details are being used to log in: 


user: test

password: ä12345


When trying to use accented characters as above in the password, the authentication fails. 


[1329] __fnbamd_rad_send-Sent radius req to server 'Rad_server': fd=14, IP= code=1 id=17 len=181 user="test" using MS-CHAPv2
[320] radius_server_auth-Timer of rad 'Rad_server' is added
[596] create_auth_session-Total 1 server(s) to try
[1388] fnbamd_auth_handle_radius_result-Timer of rad 'Rad_server' is deleted
[1797] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[416] extract_chap_error-CHAP err: E=691 R=0 V=3
[1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'Rad_server' is 1
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1602112804, len=3084


This is a limitation for the Microsoft NPS where accented characters if used in passwords will lead to this limitation. 


Explained here:

From the link: Network Policy Server (NPS) does not support the use of the Extended ASCII characters within passwords.

Microsoft NPS is not encoding Radius passwords in UTF-8. It is instead encoding it in Extended ASCII. Since it is not complying with RFC2865, the FortiGate authentication daemon would receive a password that would be a mismatch and authentication would fail. 


Note: If using Microsoft NPS with FortiGate as Radius server, it is advised to not use any accented characters in the password.