Description |
This article describes a known issue that can occur with RADIUS authentication on the FortiGate after upgrading to v7.2.10, v7.4.5, or v7.6.1. Notably, this issue relates to recent mitigations for the Blast RADIUS vulnerability (CVE-2024-3596). Refer to the following third-party article for more information on the industry-wide issue: see this blast radius.fail article. |
Scope |
FortiGate v7.2.10+, v7.4.5+ and v7.6.1+. |
Solution |
In earlier versions (v7.2.0, v7.4.3, and earlier), RADIUS connections would be successful:
After upgrading the FortiGate to v7.2.10, v7.4.5, or v7.6.1, the RADIUS connection will show as failed with an error message of 'Invalid secret for the server' or 'No message-authenticator attribute':
Error in version 7.2.10 and v7.4.5:
Error in v7.6.1:
This is occurring because v7.2.10, v7.4.,5 and v7.6.1 have applied mitigations to protect against the Blast RADIUS vulnerability. These mitigations include enforcing the validation of the Message-Authenticator RADIUS attribute (i.e., dropping server connections that fail to provide the attribute) and rejecting RADIUS responses with an unrecognized Proxy-State attribute.
However, RADIUS servers may not have been updated to support these same mitigations, and in those cases, RADIUS authentication will not be successful. To validate this issue, run fnbamd debugs on the FortiGate while testing RADIUS authentication:
diagnose debug application fnbamd -1 diagnose debug en
to disable previous debug :
diagnose debug disable diagnose debug reset
In the fnbamd debug, the following debug messages indicate that the server is not including the Message-Authenticator attribute in its response, meaning the FortiGate will reject the message and fail to complete authentication with the RADIUS server:
[1156] __rad_chk_resp_authenticator-No Message Authenticator
To resolve this issue, RADIUS servers must be updated to enable the Message-Authenticator attribute and include it in RADIUS messages. The following are suggested solutions/firmware for popular RADIUS servers:
Note: RADIUS over TLS (RADSEC) is not affected by this issue because the Message-Authenticator attribute is not mandatory in this scenario (as opposed to using plaintext RADIUS). RADSEC is supported on FortiOS 7.4.0 and later (see: Add RADSEC client support) and FortiAuthenticator 6.2.0 and later (see: Technical Tip: Radius with RADSEC support).
Microsoft has since addressed the Blast RADIUS issue with Windows Server Network Policy Server (NPS) by rolling out updates to add Message-Authenticator support. Refer to the following documentation from Microsoft:
After updating Windows Server with the above updates, check the RADIUS Client settings in NPS to make sure the option is enabled:
Once the update is complete, the FortiGate will be able to successfully authenticate via RADIUS using Windows Server NPS:
RADIUS Authentication for FortiAuthenticator: If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to one of the following versions where Message-Authenticator support has been added:
Refer to the following KB article to find the supported FortiAuthenticator Upgrade path: Technical Tip: FortiAuthenticator officially supported upgrade path.
Important Note for FortiAuthenticator v6.6.2 and later: After upgrading FortiAuthenticator to version v6.6.2 or later, there is a per-Authentication Client option called 'Require the client to send Message-Authenticator attribute' (a new feature introduced in v6.6.2 to mitigate CVE-2024-3596). This option requires the RADIUS Client to send the Message-Authenticator attribute in the Authentication Request, otherwise it will be rejected. See the following for more info:
Bear in mind that FortiOS versions earlier than v7.2.10, v7.4.5, and v7.6.1 do not include the Message-Authenticator attribute in Access-Request messages to the RADIUS server, and so enabling this option on FortiAuthenticator can lead to the following error.
Note: The GUI test in v7.2.10 will fail because it does not send the Message-Authenticator AVP, but RADIUS authentication otherwise works correctly.
Workaround : To validate RADIUS server connectivity using the CLI command:
FortiGate_CLI# diagnose test authserver radius <server> <method> <user> <password>
Example:
Refer to Known Issue #1075627 in the v7.2.10 Release Notes for more information (v7.4.5 and v7.6.1 do not have this issue): Known issues 7.2.10.
Compare this to the following example which does include the Message-Authenticator attribute.
Code: Access-Request (1)
In summary:
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.