Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SAJUDIYA
Staff
Staff

Created on ‎11-11-2024 05:36 AM

Article Id 356520

Troubleshooting Tip: RADIUS error 'Invalid RADIUS secret' when testing connectivity

Description

This article describes how to resolve a connectivity issue from the RADIUS server with the error 'Invalid RADIUS secret' even after entering the correct password.

 

In a sniffer, the error will show as 'Cannot decode password':


2023-02-15 19:24:09.936292 private vlan in 192.168.x.x.1814 -> 192.168.x.x1813: udp 44
0x0000 0000 0000 0001 000cxxx xxxx xxx 4500 ........).j...E.
0x0010 0048 6d52 0000 8000cxxx xxxx xxx 410 c0a8 .HmR........d...
0x0020 6401 0716 0715 0000cxxx xxxx xxx 2a9b d......4.*...,*.
0x0030 bd0d 909e 7e74 000cxxx xxxx xxx 1218 ....~t...)..*...
0x0040 4361 6e6e 6f000cxxx xxxx xxx 520 7061 Cannot.decode.password

 

From the RADIUS server, event logs will be as follows:

 

Frame 4: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
Ethernet II, Src: VMware_87:6c:18 (00:00:00_00:00:01), Dst: 00:00:00_00:00:01 (00:00:00:00:00:01)
Internet Protocol Version 4, Src: 192.168.x.x, Dst: 192.168.x.x
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 72
Identification: 0xc909 (51465)
Flags: 0x00
Fragment Offset: 0
Time to Live: 128
Protocol: UDP (17)
Header Checksum: 0x4c45 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.x.x
Destination Address: 192.168.x.x
User Datagram Protocol, Src Port: 1812, Dst Port: 13640
Source Port: 1812
Destination Port: 13640
Length: 52
Checksum: 0xb7ac [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
UDP payload (44 bytes)
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0x0 (0)
Length: 44
Authenticator: xxxxxxxxxxxxxxxxxxxxxx
[This is a response to a request in frame 1]
[Time from request: 0.001895000 seconds]
Attribute Value Pairs
AVP: t=Reply-Message(18) l=24 val=Cannot decode password
Type: 18
Length: 24
Reply-Message: Cannot decode password
Scope All supported versions of FortiOS.
Solution

Root cause:

 

An NPS server on the RADIUS server is set to deny access under Active Directory Users and Computers -> find the affected user account -> Properties -> Dial-in:

 

Radius issue.png

 

Solution:

Switch it back to the default option - Control access through NPS Network Policy:

 

Radius solution.png

 

Note: The 'Allow Access' setting is essentially equivalent to bypassing NPS checks, and should only be used for testing purposes. It is not recommended for production environments, as it poses increased security risks.

 

Ensure that Network Policy is configured correctly on NPS. Here is an example:

 

NPS Policy.png

 
1473
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.