FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff
Article Id 343112
Description

This article describes a known issue that can occur with RADIUS authentication on the FortiGate after upgrading to v7.2.10, v7.4.5, or v7.6.1. Notably, this issue relates to recent mitigations for the Blast RADIUS vulnerability (CVE-2024-3596). Refer to the following third-party article for more information on the industry-wide issue: see this blast radius.fail article.

Scope

FortiGate v7.2.10+, v7.4.5+ and v7.6.1+.

Solution

In earlier versions (v7.2.0, v7.4.3, and earlier), RADIUS connections would be successful:

 

7.4.3 fgt.JPG

 

After upgrading the FortiGate to v7.2.10, v7.4.5, or v7.6.1, the RADIUS connection will show as failed with an error message of 'Invalid secret for the server' or 'No message-authenticator attribute':

 

Error in version 7.2.10 and v7.4.5:

 

7.4.5.JPG

 

Error in v7.6.1:

 

Error in version 7.6.1.png

 

This is occurring because v7.2.10, v7.4.,5 and v7.6.1 have applied mitigations to protect against the Blast RADIUS vulnerability. These mitigations include enforcing the validation of the Message-Authenticator RADIUS attribute (i.e., dropping server connections that fail to provide the attribute) and rejecting RADIUS responses with an unrecognized Proxy-State attribute.

 

However, RADIUS servers may not have been updated to support these same mitigations, and in those cases, RADIUS authentication will not be successful. To validate this issue, run fnbamd debugs on the FortiGate while testing RADIUS authentication:

 

diagnose debug application fnbamd -1

diagnose debug en

 

to disable previous debug :

 

diagnose debug disable

diagnose debug reset

 

In the fnbamd debug, the following debug messages indicate that the server is not including the Message-Authenticator attribute in its response, meaning the FortiGate will reject the message and fail to complete authentication with the RADIUS server:

 

[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.

 

To resolve this issue, RADIUS servers must be updated to enable the Message-Authenticator attribute and include it in RADIUS messages. The following are suggested solutions/firmware for popular RADIUS servers:

 

  • Windows Server: See the 'RADIUS Authentication for Windows NPS' section below for more information.
  • FortiAuthenticator: See the 'RADIUS Authentication for FortiAuthenticator' section below for more information.
  • Linux FreeRADIUS: Refer to FreeRADIUS's documentation of the Blast RADIUS issue here: https://www.freeradius.org/security/ (2024.07.09 BlastRADIUS Vulnerability).
  • Cisco ISE: Under the Allowed Protocol configurations, enable 'Require Message-Authenticator for all RADIUS Requests' (refer to Cisco's documentation for further info: Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation - Cisco).
  • Duo: Cisco Duo released a new update (Version 6.4.2) on October 21 2024 that adds the configuration option 'force_message_authenticator' to the 'radius_server' modules. In the Configuration file, set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets. (See also: Authentication Proxy - Release Notes | Duo Security).
    Note: It is important to understand that the DUO proxy server needs to be updated to 6.4.2. After that, the 'set force_message_authenticator to true' command will be available on the Duo proxy server. Follow the guidelines from Duo to update the Duo proxy server.
  • RSA Identity Router/RSA Authentication Manager: RSA has released patches to address this vulnerability: RSA ID Plus BlastRADIUS Vulnerability Fix: Frequently Asked Questions | RSA Community
  • OKTA RADIUS Agent: Okta has released an update for Okta RADIUS Agent versions prior to 2.24.0 and On-Prem MFA Agent version before v1.8.0 to resolve the vulnerability: See Required Update of RADIUS Agent Versions Prior to 2.24.0 and Okta On-Prem MFA Agent Versions Pri...

OKTA_Message_Authenticator.PNG

 

Note:

RADIUS over TLS (RADSEC) is not affected by this issue because the Message-Authenticator attribute is not mandatory in this scenario (as opposed to using plaintext RADIUS). RADSEC is supported on FortiOS 7.4.0 and later (see: Add RADSEC client support) and FortiAuthenticator 6.2.0 and later (see: Technical Tip: Radius with RADSEC support).


RADIUS Authentication for Windows NPS:
As noted above, FortiGates running v7.2.10, v7.4.5 or v7.6.1 will now send the Message-Authenticator attribute along with the Access-Request packet to the RADIUS server, as seen in the below PCAP screenshot:

 

3b. dbhavsar_0-1727267679744.png

 

 

Microsoft has since addressed the Blast RADIUS issue with Windows Server Network Policy Server (NPS) by rolling out updates to add Message-Authenticator support. Refer to the following documentation from Microsoft:

 

After updating Windows Server with the above updates, check the RADIUS Client settings in NPS to make sure the option is enabled:

 

dbhavsar_1-1727267680144.png

 

Once the update is complete, the FortiGate will be able to successfully authenticate via RADIUS using Windows Server NPS:

 

dbhavsar_2-1727267680235.png

 

RADIUS Authentication for FortiAuthenticator:

If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to one of the following versions where Message-Authenticator support has been added:

  • FortiAuthenticator 6.4.10 and 6.5.6 (CLI only):
    • diagnose authentication require-radius-server-message-authenticator - Globally controls if remote RADIUS servers should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Client).
    • diagnose authentication require-radius-client-message-authenticator - Globally controls if remote RADIUS clients should send Message-Authenticator attribute (FortiAuthenticator as RADIUS Server).
  • FortiAuthenticator 6.6.2 and later (GUI and CLI).

 

Refer to the following KB article to find the supported FortiAuthenticator Upgrade path: Technical Tip: FortiAuthenticator officially supported upgrade path.

 

Important Note for FortiAuthenticator v6.6.2 and later:

After upgrading FortiAuthenticator to version v6.6.2 or later, there is a per-Authentication Client option called 'Require the client to send Message-Authenticator attribute' (a new feature introduced in v6.6.2 to mitigate CVE-2024-3596). This option requires the RADIUS Client to send the Message-Authenticator attribute in the Authentication Request, otherwise it will be rejected. See the following for more info:

 

Capture.PNG

 

Bear in mind that FortiOS versions earlier than v7.2.10, v7.4.5, and v7.6.1 do not include the Message-Authenticator attribute in Access-Request messages to the RADIUS server, and so enabling this option on FortiAuthenticator can lead to the following error.

 
 

2024-10-04 11_57_22-FortiGate - c3po-kvm80.png

 

Note: 

The GUI test in v7.2.10 will fail because it does not send the Message-Authenticator AVP, but RADIUS authentication otherwise works correctly.

 

Workaround :

To validate RADIUS server connectivity using the CLI command:

 

FortiGate_CLI# diagnose test authserver radius <server> <method> <user> <password>

 

Example:


FortiGate_CLI# diagnose test authserver radius FortiAuthenticator mschap2 usertest password
authenticate 'usertest' against 'mschap2' succeeded, server=primary assigned_rad_session_id=1743897998 session_timeout=0 secs idle_timeout=0 secs!

Refer to Known Issue #1075627 in the v7.2.10 Release Notes for more information (v7.4.5 and v7.6.1 do not have this issue): Known issues 7.2.10.


The following is an example taken from a packet capture of a GUI-based RADIUS test on v7.2.10, which is missing the attribute:


RADIUS Protocol:


    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 126
    Authenticator: 4a9a7728c1e7793d876629b98767026c (this is NOT the message-authenticator!)
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=testuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)

 

Compare this to the following example which does include the Message-Authenticator attribute.


RADIUS Protocol:

 

    Code: Access-Request (1)
    Packet identifier: 0x1d (29)
    Length: 204
    Authenticator: 289e42a9b407e5741a3fae7d9bfafefe
    Attribute Value Pairs
        AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
        AVP: t=User-Name(1) l=12 val=tstuser
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
        AVP: t=Framed-IP-Address(8) l=6 val=0.0.0.0
        AVP: t=NAS-IP-Address(4) l=6 val=10.48.48.1
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
        AVP: t=Called-Station-Id(30) l=12 val=10.48.48.1
        AVP: t=Acct-Session-Id(44) l=10 val=72f00f00
        AVP: t=Connect-Info(77) l=6 val=test
        AVP: t=Vendor-Specific(26) l=14 vnd=Fortinet, Inc.(12356)
        AVP: t=Message-Authenticator(80) l=18 val=af4f4d4fc0ee64b1d87f2ff715f27e48
            Type: 80
            Length: 18
            Message-Authenticator: af4f4d4fc0ee64b1d87f2ff715f27e48

 

In summary:

  1. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.1 or earlier): Working (neither checks for Message-Authenticator).
  2. FortiOS (v7.2.9, v7.4.4 and earlier): FortiAuthenticator (v6.6.2) : Working (no check for Message-Authenticator by default).
  3. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.6.1 or earlier): Not Working (FortiAuthenticator not yet supporting Message-Authenticator).
  4. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.6.2) - Working (Both can support Message-Authenticator).
  5. FortiOS (v7.2.10, v7.4.5, v7.6.1): FortiAuthenticator (v6.5.6) - Working (Both can support Message-Authenticator).

 

Related articles:
Troubleshooting Tip: Radius connection issue with Microsoft NPAS after FortiGate upgraded to v7.2.10...

FortiGate v7.2.10 - Release notes