|
The setup is as follow:
1. FortiGate is configured as Radius Client.
2. Microsoft NPS is configured as a Radius server.
3. Following details are being used to log in:
user: test
password: ä12345
When trying to use accented characters as above in the password, the authentication fails.
[1329] __fnbamd_rad_send-Sent radius req to server 'Rad_server': fd=14, IP=10.10.1.193(10.10.1.193:1812) code=1 id=17 len=181 user="test" using MS-CHAPv2
[320] radius_server_auth-Timer of rad 'Rad_server' is added
[596] create_auth_session-Total 1 server(s) to try
[1388] fnbamd_auth_handle_radius_result-Timer of rad 'Rad_server' is deleted
[1797] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[416] extract_chap_error-CHAP err: E=691 R=0 V=3
[1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'Rad_server' 10.10.1.193(1) is 1
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1602112804, len=3084
This is a limitation for the Microsoft NPS where accented characters if used in passwords will lead to this limitation.
Explained here:
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices
From the link: Network Policy Server (NPS) does not support the use of the Extended ASCII characters within passwords.
Microsoft NPS is not encoding Radius passwords in UTF-8. It is instead encoding it in Extended ASCII. Since it is not complying with RFC2865, the FortiGate authentication daemon would receive a password that would be a mismatch and authentication would fail.
Note: If using Microsoft NPS with FortiGate as Radius server, it is advised to not use any accented characters in the password.
|
