Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5

In earlier versions (FortiOS v7.2.0, v7.4.3, and earlier), RADIUS connections would be successful:

After upgrading the FortiGate to v7.2.10 or v7.4.5, the RADIUS connection will show as failed with an error message of 'Invalid secret for the server':

This is occurring because FortiOS 7.2.10 and 7.4.5 have applied mitigations to protect against the Blast RADIUS vulnerability. These mitigations include enforcing the validation of the Message-Authenticator RADIUS attribute (i.e., dropping server connections that fail to provide the attribute) and rejecting RADIUS responses with an unrecognized Proxy-State attribute.

However, RADIUS servers may not have been updated to support these same mitigations, and in those cases, RADIUS authentication will not be successful. To validate this issue, run fnbamd debugs on the FortiGate while testing RADIUS authentication:

diagnose debug application fnbamd -1

diagnose debug en

In the fnbamd debug, the following debug messages indicate that the server is not including the Message-Authenticator attribute in its response, meaning the FortiGate will reject the message and fail to complete authentication with the RADIUS server:

[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.

To resolve this issue, RADIUS servers must be updated to enable the Message-Authenticator attribute and include it in RADIUS messages. The following are suggested solutions/firmware for popular RADIUS servers:

• Windows Server: See the 'RADIUS Authentication for Windows NPS' section below for more information.
• FortiAuthenticator: See the 'RADIUS Authentication for FortiAuthenticator' section below for more information.
• Linux FreeRADIUS: Refer to FreeRADIUS's documentation of the Blast RADIUS issue here: https://www.freeradius.org/security/ (2024.07.09 BlastRADIUS Vulnerability).
• Cisco ISE: Under the Allowed Protocol configurations, enable 'Require Message-Authenticator for all RADIUS Requests' (refer to Cisco's documentation for further info: Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation - Cisco).
• Duo: Cisco Duo released a new update (Version 6.4.2) on October 21 2024 that adds the configuration option 'force_message_authenticator' to the 'radius_server' modules. In the Configuration file, set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets. (See also: Authentication Proxy - Release Notes | Duo Security).
  
• RSA Identity Router/RSA Authentication Manager: RSA has released patches to address this vulnerability: RSA ID Plus BlastRADIUS Vulnerability Fix: Frequently Asked Questions | RSA Community.

Note: RADIUS over TLS (RADSEC) is not affected by this issue because the Message-Authenticator attribute is not mandatory in this scenario (as opposed to using plaintext RADIUS). RADSEC is supported on FortiOS 7.4.0 and later (see: Add RADSEC client support) as well as FortiAuthenticator 6.2.0 and later (see: Technical Tip: Radius with RADSEC support).

RADIUS Authentication for Windows NPS
As noted above, FortiGates running FortiOS 7.2.10 or 7.4.5 will now send the Message-Authenticator attribute along with the Access-Request packet to the RADIUS server, as seen in the below PCAP screenshot:

Microsoft has since addressed the Blast RADIUS issue with Windows Server Network Policy Server (NPS) by rolling out updates to add Message-Authenticator support. Refer to the following documentation from Microsoft:

• Windows 10 and 11, as well as Windows Server 2008 and 2012: KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-35...
• Windows Server 2019: KB5040430.
• See also the following from the Microsoft Security Response Center: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability.

After updating Windows Server with the above updates, check the RADIUS Client settings in NPS to make sure the option is enabled:

Once the update is complete, the FortiGate will be able to successfully authenticate via RADIUS using Windows Server NPS:

RADIUS Authentication for FortiAuthenticator.

If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to one of the following versions where Message-Authenticator support has been added:

• FortiAuthenticator 6.4.10 and later (CLI only):
  • diagnose authentication require-radius-server-message-authenticator - Globally controls if remote RADIUS servers should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Client).
  • diagnose authentication require-radius-client-message-authenticator - Globally controls if remote RADIUS clients should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Server).
• FortiAuthenticator 6.6.2 and later (GUI and CLI).

Refer to the following KB article to find the supported FortiAuthenticator Upgrade path: Technical Tip: FortiAuthenticator officially supported upgrade path.

Important Note for FortiAuthenticator 6.6.2 and later.

After upgrading FortiAuthenticator to version 6.6.2 or later, there is a per-Authentication Client option called 'Require the client to send Message-Authenticator attribute' (a new feature introduced in 6.6.2 to mitigate CVE-2024-3596). This option requires the RADIUS Client to send the Message-Authenticator attribute in the Authentication Request, otherwise it will be rejected. See the following for more info:

• Administration Guide 6.6.2 Clients
• Release Notes 6.6.2 Upgrade instructions

Bear in mind that FortiOS versions earlier than 7.2.10, 7.4.5, and 7.6.1 do not include the Message-Authenticator attribute in Access-Request messages to the RADIUS server, and so enabling this option on FortiAuthenticator can lead to the following error.

Note: The GUI test in FortiOS 7.2.10 will fail because it does not send the Message-Authenticator AVP, but RADIUS authentication otherwise works correctly. Refer to Known Issue #1075627 in the 7.2.10 Release Notes for more information (FortiOS 7.4.5 and 7.6.1 do not have this issue): Known issues 7.2.10.

The following is an example taken from a packet capture of a GUI-based RADIUS test on 7.2.10, which is missing the attribute:

RADIUS Protocol:

    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 126
    Authenticator: 4a9a7728c1e7793d876629b98767026c (this is NOT the message-authenticator!)
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=testuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)

Compare to the following example which does include the Message-Authenticator attribute.

RADIUS Protocol:

    Code: Access-Request (1)
    Packet identifier: 0x1d (29)
    Length: 204
    Authenticator: 289e42a9b407e5741a3fae7d9bfafefe
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=tstuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
        AVP: t=Framed-IP-Address(8) l=6 val=0.0.0.0
        AVP: t=NAS-IP-Address(4) l=6 val=10.48.48.1
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
        AVP: t=Called-Station-Id(30) l=12 val=10.48.48.1
        AVP: t=Acct-Session-Id(44) l=10 val=72f00f00
        AVP: t=Connect-Info(77) l=6 val=test
        AVP: t=Vendor-Specific(26) l=14 vnd=Fortinet, Inc.(12356)
        AVP: t=Message-Authenticator(80) l=18 val=af4f4d4fc0ee64b1d87f2ff715f27e48
            Type: 80
            Length: 18
            Message-Authenticator: af4f4d4fc0ee64b1d87f2ff715f27e48

In summary:

1. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.1 or earlier): Working (neither checks for Message-Authenticator).
2. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.2) : Working (no check for Message-Authenticator by default).
3. FortiOS (v7.2.10, v7.4.5): FortiAuthenticator (v6.6.1 or earlier): Not Working (FortiAuthenticator not yet supporting Message-Authenticator).
4. FortiOS (v7.2.10, v7.4.5): FortiAuthenticator (v6.6.2) - Working (Both can support Message-Authenticator).