Description

This article describes why 3rd party Radius server received multiple failed attempts from user authenticating.

Related document:

user radius

Scope

FortiGate.

Solution

By default, when Radius authentication is configured, it will use the authentication protocol as 'auto' (GUI setting called 'Default').

config user radius
(radius)edit RAD                  <----- New entry 'RAD' added.
(RAD)set auth-type

In GUI:

auto <----- Use PAP, MS_CHAP_v2, and CHAP (in that order).
ms_chap_v2 <----- Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap <----- Microsoft Challenge Handshake Authentication Protocol.
chap <----- Challenge Handshake Authentication Protocol.
pap <----- Password Authentication Protocol.

When 'auth-type' is set to 'auto', FortiGate will use PAP, MS_CHAPv2, and CHAP (in that order).
So it will use all 3 protocols when connecting to the Radius server.

If the Radius server is configured to limit the failed attempts, then the wrong protocol will be counted as a failed attempt.
Eventually, user will be rejected to authenticate.

To resolve this, configure manually the right protocol that is used by the Radius server. Typically PAP is a good choice. If the RADIUS server or FortiAuthenticator is domain joined, typically MS-CHAP-V2 is a good choice (it depends on the implementation).

The configuration for example, when using PAP:

config user radius
(radius) # edit RAD
(RAD) # set auth-type pap