Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎10-28-2025 08:15 AM

Article Id 416910

Troubleshooting Tip: FortiGate is unable to receive radius accounting message due to error message 'Bad secret'

Description This article describes how to resolve the error message 'Bad secret' in RADIUS authentication.
Scope FortiGate, FortiProxy.
Solution

The secret key in the RSSO agent configuration is case-sensitive, which means the secret key is treated differently depending on whether it is written with uppercase or lowercase text. The secret key must therefore be written on the RADIUS client exactly as it was configured on the FortiGate side:

 

config user radius

    edit "RSSO_Agent"

        set rsso enable

        set rsso-radius-response enable

        set rsso-validate-request-secret enable 

        set rsso-secret  <Secret Key> <-----

        set rsso-endpoint-attribute <RSSO attribute>
    next
end

 

When the case sensitivity is not respected, FortiGate will not receive the radius accounting message and a 'Bad secret' error message is seen in the RADIUS debugging output as below:

 

FortiGate # diagnose debug disable

FortiGate # diagnose debug enable

FortiGate # diagnose debug application radiusd -1

 

FortiGate # 2025-10-28 12:40:49 Received radius accounting event
2025-10-28 12:40:49 Bad secret  <-----
2025-10-28 12:40:52 Received radius accounting event
2025-10-28 12:40:52 Bad secret
2025-10-28 12:40:55 Received radius accounting event
2025-10-28 12:40:55 Bad secret

 

The following is an example of a secret key in FortiGate and NTRadPing. The secret key is enabled on NTRadPing as it is enabled on FortiGate:

 

config user radius
    edit "RSSO_Agent"
        set rsso enable
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secretfortinet <-----
        set rsso-endpoint-attribute User-Name
    next
end

 Screenshot-2.png

 

When case sensitivity is respected, FortiGate receives the RADIUS accounting message and the user is listed in the authenticated user list on FortiGate:

 

config user group
    edit "RSSO_Restricted_Web"
        set group-type rsso
        set sso-attribute-value "restricted<-----
    next
end

 

FortiGate # diagnose debug disable

FortiGate # diagnose debug enable

FortiGate # diagnose debug application radiusd -1

Debug messages will be on for 30 minutes.

FortiGate # Received radius accounting event
DB 0 insert [ep='dilan' pg='restricted' ip='10.135.6.139/32'] success  <-----
Send accounting response

 

FortiGate # diagnose firewall auth list

10.135.6.48, dilan   
type: rsso, id: 0, duration: 7190, idled: 35
flag(10): radius
server: root
packets: in 72306 out 54054, bytes: in 106650384 out 3262656
group_id: 14
group_name: RSSO_Restricted_Web <-----

 

Related documents: 

Technical Tip: Using NTRadPing with RSSO
66
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.