Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff

Created on ‎04-04-2025 08:23 AM

Article Id 386239

Technical Tip: Radius user password renewal using dial-up IPsec tunnel

Description This article describes the process of password renewal for a RADIUS user using IPsec IKEv1.
Scope FortiOS.
Solution

Configure the IPsec tunnel using IKEv1 and Radius user group as the xauth user group.

 

Below is the configuration using IKEv1 but note that password renewal will not work for IKEv2.

 

config vpn ipsec phase1-interface

    edit "Dialuptest"

        set type dynamic

        set interface "wan1"

        set peertype one

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set dpd on-idle

        set xauthtype auto

        set authusrgrp "radiustest" ß <----- RADIUS group.

        set peerid "HR"

        set ipv4-start-ip 192.168.10.2

        set ipv4-end-ip 192.168.10.254

        set ipv4-netmask 255.255.255.0

        set unity-support disable

        set psksecret ENC +1u2uavHeFMjvKfDMBNVuLoOBGC77MSsl3B05+DE7Yd8n4RAETa3lRF2SdyCoFSXRTEWm51lmMjY3dkVA

        set dpd-retryinterval 60

    next

end

 

Radius configuration:

 

config user radius

    edit "test"

        set server "10.128.x.x"

        set secret <passwd>

        set auth-type ms_chap_v2

        set password-renewal enable

    next

end

 

User group for RADIUS:

 

config user group

    edit "radiustest"

        set member "test"

    next

end

 

On the Windows NPS Radius server, see the following screenshots for reference of configuration:

Network Policies: Enable 'MS-CHAP-v2' and 'User can change the password after it has expired'.

 

syadav_0-1743707636244.png

 

To change the expired password, log in to the VPN using the existing password. Upon login, the Answer option should prompt. Enter the new password.

Note: It is not possible to use the previously used passwords on the renewal. A new password should meet the complexity requirements of the organization.

 

syadav_1-1743707636254.png

 

If the password change is successful, it will allow connecting to the VPN after the password change.

 

syadav_2-1743707636264.png

 

Debugs:

 

fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2

fnbamd_rad_process-Challenged: 1, FTK_Challenge: 0, CHG_PWD: 1, Invaid_Digest: 0, State_Len: 0  <----- Change password set.

828] __rad_rxtx-fd 10, state 3(Change Password)  <-----

[830] __rad_rxtx-Stop rad conn timer.

[837] __rad_rxtx-

[723] fnbamd_rad_make_chg_pwd_request-

[762] fnbamd_rad_make_chg_pwd_request-Calculated MSCHAPv2 CPW credential <----- New password validation.

[328] __create_access_request-Compose RADIUS request

 

Related article:

RADIUS and XAuth authentication - FortiClient
1025
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.