| Description |
This article describes the Radius connection issue with Microsoft NPAS after FortiGate upgraded to v7.2.10 or v7.4.5. |
| Scope |
FortiGate v7.2.10/v7.4.5/v7.6.1 and MS NPS Windows Server. |
| Solution |
After FortiGate upgrades to 7.2.10/7.4.5/7.6.1, it will show 'invalid secret for the server' or 'No Message-Authenticator attribute' under User & Authentication -> RADIUS Servers -> Edit the name.
Also, the failure from the CLI is shown below:
From the debug command below, it is possible to verify that have no authenticator message:
diagnose debug console timestamp enable diagnose debug application fnbamd -1 diagnose debug enable ...
On both versions, implemented a solution to RADIUS vulnerability as described in CVE-2024-3596, which demands that validation, but even if it is enabled on the 'Access-Request message', it must contain the Message-Authenticator Attribute on the RADIUS Client Server configured from the NPS Server not work.
Solution:
FortiGates that have been upgraded to v7.2.10 can be downgraded to v7.2.9 as a workaround for this issue. The ideal option is to use the alternate partition on the FortiGate to roll back to the immediate previous version: Technical Tip: Selecting an alternate firmware for the next reboot. Downgrading firmware can be an option as well but is not recommended: Technical Tip: FortiGate Firmware Downgrade for Minor Releases
Alternatively, the FortiGate can be safely upgraded from v7.2.10 to v7.4.4 where the RADIUS security fix has not yet been implemented. This is true even though the Fortinet Upgrade Path tool does not show it as an option.
 There is another workaround available in v7.2.11, v7.4.6 and v7.6.1 with disabling require-message-authenticator attribute:
Related documents: |
