Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff

Created on ‎10-19-2025 09:50 PM

Article Id 415234

Technical Tip: Radius auth type and secret key for 802.1x profile changed post FortiGate upgrade

 

Description This article describes that the Radius setting may be missing after upgrading to 7v.4.8
Scope FortiGate v7.4+.
Solution

If a Radius configuration is present on the FortiGate, and it needs to push the 802.1x profile to the FortiSwitch using the radius group.
After upgrading the FortiGate to v7.4.8, the Radius auth type and secret key on FortiSwitch are mismatched.

 

Change the auth-type on FortiGate:


60F (1) # show
config user radius
    edit "1"
        set server "10.56.241.172"
        set secret ENC k4HQf8yw/DTMF0/ee2w8aNOog4cnzfKXctCahB3NZ1JoNp2L1nvML5Wq9MBWe7YyIU/n4Om7z3c8Wk8Xq4OxLkyOyiQIufbHrqHcUwwPRpVg9eUjCg3yqHChUo4YZGjfVhy016zodEHhN3hkpK8IZtNSktc+OyuJ1MHc8iwsqSHMP/jgHDJRhfIFLDhr2e+0iDE/KVlmMjY3dkVA
        set auth-type pap
    next
end
60F (1) # set auth-type ms_chap_v2 <----- Change to ms_chap_v2.

60F (1) # end

 

Run the debug on the FortiGate:


60F # diagnose debug application flcfgd -1
Debug messages will be on for 30 minutes.
"name":"1",
    "q_origin_key":"1",
    "server":"10.56.241.172",
    "secret":"ENC DEtzTJhW5N8VfSAHBxV\/c8ZSBP9EAasuCe+YSjVmWJsKEkWa3KVibOeXU+h2Pnlcf3ctBRVBrHrUy4SKeytT4i+0L7aWCkobNzfo2zoGdz3Q2tsKKsatNhFrVqazoR7DVrW9PT1\/D9ZuIX
TVXUgzFjS+IsN8ukarBWFV59EPPZ1x0Tl2",
    "secondary-server":"",
    "secondary-secret":"ENC VAL6QGL4MAChCLIPnEDWPkUgvL\/HRFoRo96OE0JBgF+\/zDPnhdOvUAmWgrQrVhXNudmM5DiyGwDmrWXK3y2kuvkwA+UslujT3ZTXMtrjv1id2fF7mksCHWsl4TDhnsvmRSZG
ro+wkS3C3+6xLaGzZ56GEU5DOHD3Zmjl32ieR6m2gasL",
    "all-usergroup":"disable",
    "nas-ip":"0.0.0.0",
    "nas-ip6":"::",
    "acct-interim-interval":600,
    "acct-fast-framedip-detect":2,
    "frame-mtu-size":1500,
    "service-type":"",
    "radius-port":1812,
    "auth-type":"ms_chap", <-----should be ms_chap_v2.
    "addr-mode":"ipv4",
    "source-ip":"0.0.0.0",
    "source-ip6":"::",
    "link-monitor":"disable",
    "link-monitor-interval":15,
    "radius-coa":"disable",
    "radius-coa-secret":"ENC Ty8f4xbf3e0tfSrhv4J3vUGJMGymK\/s6HZDxT0iCmRKma\/45MRzS+JA0aHOEtZBn+vEwyoeN\/u5K9AJFXsh\/qAwzMxpllsS3O3o30ifLZ6HGomlLiLY6fWEyo8xuhxTwL
cLXwOeVL\/+stf9NACVWLeY4NH7muho1c++FRUVTCSu\/D02y",
    "acct-server":[
    ]
  },

 

Run the debug on the FortiSwitch:


S108FPTV24007759 # diagnose debug cli 8
S108FPTV24007759 # diagnose debug enzip config file /data/./config/sys_vd_root.conf.gz success!
0: config user radius
0: edit "1"
0: set auth-type ms_chap <----- FortiSwitch received ms_chap config from FortiGate.
0: end
open file 10 to write config
write config file success, prepare to save in flash
zip config file /data/./config/sys_vd_root.conf.gz success!

 

The workaround is to change the Radius setting on the FortiSwitch manually.
96
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.