In earlier versions (v7.2.0, v7.4.3, and earlier), RADIUS connections would be successful:

After upgrading the FortiGate to v7.2.10, v7.4.5, or v7.6.1, the RADIUS connection will show as failed with an error message of 'Invalid secret for the server' or 'No message-authenticator attribute':

Error in version 7.2.10 and v7.4.5:

Error in v7.6.1 and v7.2.11:

This is occurring because v7.2.10, v7.4.5, and v7.6.1 have applied mitigations to protect against the Blast RADIUS vulnerability. These mitigations include enforcing the validation of the Message-Authenticator RADIUS attribute (i.e., dropping server connections that fail to provide the attribute) and rejecting RADIUS responses with an unrecognized proxy state attribute.

However, RADIUS servers may not have been updated to support these same mitigations, and in those cases, RADIUS authentication will not be successful. To validate this issue, run fnbamd debugs on the FortiGate while testing RADIUS authentication:

diagnose debug application fnbamd -1

diagnose debug en

to disable previous debug :

diagnose debug disable

diagnose debug reset

In the fnbamd debug, the following debug messages indicate that the server is not including the Message-Authenticator attribute in its response, meaning the FortiGate will reject the message and fail to complete authentication with the RADIUS server:

[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.

To resolve this issue, RADIUS servers must be updated to enable the Message-Authenticator attribute and include it in RADIUS messages. The following are suggested solutions/firmware for popular RADIUS servers:

• Windows Server: See the 'RADIUS Authentication for Windows NPS' section below for more information.
• FortiAuthenticator: See the 'RADIUS Authentication for FortiAuthenticator' section below for more information.
• FortiNAC: This attribute is enabled by default, but the Connection status in FortiGate will still fail. This is just a cosmetic issue related to the testing procedure: normal authentications are not affected. In later versions of FortiNAC, Technical Tip: How to configure FortiNAC to send the 'Message-Authenticator' attribute in Access-Acc..., this is fixed and this attribute is also returned for the testing procedure.
• Linux FreeRADIUS: Refer to FreeRADIUS's documentation of the Blast RADIUS issue here: https://www.freeradius.org/security/ (2024.07.09 BlastRADIUS Vulnerability).
• Cisco ISE: Under the Allowed Protocol configurations, enable 'Require Message-Authenticator for all RADIUS Requests' (refer to Cisco's documentation for further info: Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation - Cisco).
• Duo: Cisco Duo released a new update (Version 6.4.2) on October 21 2024 that adds the configuration option 'force_message_authenticator' to the 'radius_server' modules. In the Configuration file, set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets. (See also: Authentication Proxy - Release Notes | Duo Security).
  Note: It is important to understand that the DUO proxy server needs to be updated to 6.4.2. After that, the 'set force_message_authenticator to true' command will be available on the Duo proxy server. Follow the guidelines from Duo to update the Duo proxy server.
• RSA Identity Router/RSA Authentication Manager: RSA has released patches to address this vulnerability: RSA ID Plus BlastRADIUS Vulnerability Fix: Frequently Asked Questions | RSA Community.
• Aruba Clearpass Policy Manager: Aruba released a patch to all Clearpass policy manager servers running versions 6.2.11 and below as it is stated in this document: HPESBNW04662 rev.6 - RADIUS protocol susceptible to forgery attacks
  
• CPPM-x86_64-20240920-clearpass-6.12-updates-4-aruba-612-patch is recommended to be installed on Clearpass policy manager servers running v6.2.12.
• OKTA RADIUS Agent: Okta has released an update for Okta RADIUS Agent versions before v2.24.0 and On-Prem MFA Agent version before v1.8.0 to resolve the vulnerability: See Required Update of RADIUS Agent Versions Prior to 2.24.0 and Okta On-Prem MFA Agent Versions Pri...
                         

Note:

RADIUS over TLS (RADSEC) is not affected by this issue because the Message-Authenticator attribute is not mandatory in this scenario (as opposed to using plaintext RADIUS). RADSEC is supported on FortiOS v7.4.0 and later (see: Add RADSEC client support) and FortiAuthenticator v6.2.0 and later (see: Technical Tip: Radius with RADSEC support).

RADIUS Authentication for Windows NPS:
As noted above, FortiGates running v7.2.10, v7.4.5 or v7.6.1 will now send the Message-Authenticator attribute along with the Access-Request packet to the RADIUS server, as seen in the below PCAP screenshot:

Microsoft has since addressed the Blast RADIUS issue with Windows Server Network Policy Server (NPS) by rolling out updates to add Message-Authenticator support. Refer to the following documentation from Microsoft:

• Windows 10 and 11, as well as Windows Server 2008 and 2012: KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-35...
• Windows Server 2019: KB5040430.
• Windows Server 2022: KB5040437.
• See also the following from the Microsoft Security Response Center: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability.

After updating Windows Server with the above updates, check the RADIUS Client settings in NPS to make sure the option is enabled:

Once the update is complete, the FortiGate will be able to successfully authenticate via RADIUS using Windows Server NPS:

RADIUS Authentication for FortiAuthenticator:

If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to one of the following versions where Message-Authenticator support has been added:

• FortiAuthenticator 6.4.10 and 6.5.6 (CLI only):
  • diagnose authentication require-radius-server-message-authenticator <enable | disable*> - Globally controls if remote RADIUS servers should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Client).
  • diagnose authentication require-radius-client-message-authenticator <enable | disable*>  - Globally controls if remote RADIUS clients should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Server).
• FortiAuthenticator v6.6.2 and later (GUI and CLI).

Refer to the following KB article to find the supported FortiAuthenticator Upgrade path: Technical Tip: FortiAuthenticator officially supported upgrade path

Important Note for FortiAuthenticator v6.6.2 and later:

After upgrading FortiAuthenticator to version v6.6.2 or later, there is a per-Authentication Client option called 'Require the client to send Message-Authenticator attribute' (a new feature introduced in v6.6.2 to mitigate CVE-2024-3596). This option requires the RADIUS Client to send the Message-Authenticator attribute in the Authentication Request, otherwise it will be rejected. See the following for more info:

• Administration Guide 6.6.2 Clients
• Release Notes 6.6.2 Upgrade instructions

Bear in mind that FortiOS versions earlier than v7.2.10, v7.4.5, and v7.6.1 do not include the Message-Authenticator attribute in Access-Request messages to the RADIUS server, and so enabling this option on FortiAuthenticator can lead to the following error.

Important Note for FortiAuthenticator v6.5.6 and v6.4.10: 

FortiAuthenticator v6.4.10 and v6.5.6 only support enabling or disabling Message-Authenticator globally so all RADIUS clients need to either support this attribute or have it disabled. A granular option, such as in FortiAuthenticator v6.6.2 described above, is not possible.

Note: 

The GUI test in v7.2.10 will fail because it does not send the Message-Authenticator AVP, but RADIUS authentication otherwise works correctly.

Workaround :

To validate RADIUS server connectivity using the CLI command:

FortiGate_CLI# diagnose test authserver radius <server> <method> <user> <password>

Example:

FortiGate_CLI# diagnose test authserver radius FortiAuthenticator mschap2 usertest password
authenticate 'usertest' against 'mschap2' succeeded, server=primary assigned_rad_session_id=1743897998 session_timeout=0 secs idle_timeout=0 secs!

Refer to Known Issue #1075627 in the v7.2.10 Release Notes for more information (v7.2.11, v7.4.5 and v7.6.1 do not have this issue): Known issues 7.2.10.

If an error is still faced with FortiAuthenticator v6.6 and MS-CHAPv2 is the protocol used for RADIUS authentication, there is a known issue that causes MS-CHAPv2 RADIUS authentication to fail (ID 1026189). Refer to this article.

The following is an example taken from a packet capture of a GUI-based RADIUS test on v7.2.10, which is missing the attribute:

RADIUS Protocol:

    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 126
    Authenticator: 4a9a7728c1e7793d876629b98767026c (this is NOT the message-authenticator!)
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=testuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)

Compare this to the following example which does include the Message-Authenticator attribute.

RADIUS Protocol:

    Code: Access-Request (1)
    Packet identifier: 0x1d (29)
    Length: 204
    Authenticator: 289e42a9b407e5741a3fae7d9bfafefe
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=tstuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
        AVP: t=Framed-IP-Address(8) l=6 val=0.0.0.0
        AVP: t=NAS-IP-Address(4) l=6 val=10.48.48.1
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
        AVP: t=Called-Station-Id(30) l=12 val=10.48.48.1
        AVP: t=Acct-Session-Id(44) l=10 val=72f00f00
        AVP: t=Connect-Info(77) l=6 val=test
        AVP: t=Vendor-Specific(26) l=14 vnd=Fortinet, Inc.(12356)
        AVP: t=Message-Authenticator(80) l=18 val=af4f4d4fc0ee64b1d87f2ff715f27e48
            Type: 80
            Length: 18
            Message-Authenticator: af4f4d4fc0ee64b1d87f2ff715f27e48

In summary:

1. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.1 or earlier): Working (neither checks for Message-Authenticator).
2. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.2): Working (no check for Message-Authenticator by default).
3. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.6.1 or earlier): Not Working (FortiAuthenticator not yet supporting Message-Authenticator).
4. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.6.2) - Working (Both can support Message-Authenticator).
5. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.5.6) - Working (Both can support Message-Authenticator).
6. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.4.10) - Working (Both can support Message-Authenticator).

Starting v7.2.11, v7.4.6, and v7.6.1 a new option has been added to revert to the original behavior:

config user radius
    edit "<server>"
        set require-message-authenticator disable
    next
end

• enable: Make the validation of the message authenticator mandatory in the authentication response.
• disable: Make the validation of the message authenticator optional in the authentication response.

In v7.4.6, v7.4.7, and v7.6.1, when the Radius server has the require-message-authenticator setting disabled, The GUI RADIUS Server dialog -> 'Test connectivity' and 'Test user credentials' still checks for the message-authenticator value and incorrectly fails the test with 'missing authenticator' error message.

This is only a GUI display issue and the end-to-end integration with the Radius server should still work.

Workaround:

The user can confirm the connection to the RADIUS server via the CLI command:

diagnose test authserver radius <server> <method> <user> <password>

The behavior is fixed on the following versions: v7.2.11, v7.4.8, v7.6.3.

Related documents:
Troubleshooting Tip: Radius connection issue with Microsoft NPAS after FortiGate upgraded to v7.2.10...

FortiGate v7.2.10 - Release notes

Technical Tip: Workaround for Blast RADIUS mitigation behavior in v7.2.11, v7.4.6 and v7.6.1

Troubleshooting Tip: RADIUS authentication troubleshooting