Technical Tip: Random failures with message: 'Access-Reject-Event- Credentials Invalid (MSCHAP2)'

Hatibi · ‎12-27-2024

Description

This article describes how to identify the RADIUS reject cause when EAP-MSCHAPv2 is used as authentication method.

Scope

FortiNAC-F.

Solution

MSCHAPv2 is a challenge response protocol and a widely used EAP authentication method. In such implementations, FortiNAC will query the Directory server (AD) in order to perform user lookup and validate credentials.

To have a view of RADIUS authentication statistics, in FortiNAC it is useful to enable 'Activity Monitoring' in Network->Radius-> General Settings.

On some occasions, administrators may notice failure events such as the one in Figure 1. below:

Figure 1. Filter for Access-Reject Events in Activity Monitoring tab in Network->Radius->Activity

These could be random failed attempts for users that have the windows AD credentials cached and automatically provided when performing 802.1x authentication for network access. This means that the username and password are correct but the authentication is randomly failing.

In output.master log file it is possible to see only the following event:

yams.RadiusAccess.XX.XX.XX.XX.XX CONFIG :: 2024-12-16 15:06:18:940 :: #569 :: [Access-Reject-Event] - Credentials Invalid (MSCHAP2)

To find the reason for the failure, it is necessary to check the log messages located in /var/log/radius/radius.log. Radius logs with show the following:

(178) mschap-forti_com: --> --username=fortilab_user
(178) mschap-forti_com: Creating challenge hash with username: fortilab_user
(178) mschap-forti_com: EXPAND --challenge=%{%{mschap-forti_com:Challenge}:-00}
(178) mschap-forti_com: --> --challenge=YYYYYYYYY
(178) mschap-forti_com: EXPAND --nt-response=%{%{mschap-forti_com:NT-Response}:-00}
(178) mschap-forti_com: --> --nt-response=XXXXXXXXXX
Child PID 3172862 is taking too much time: forcing failure and killing child.
(178) mschap-forti_com: ERROR: Failed to read from child output
(178) mschap-forti_com: External script failed
(178) mschap-forti_com: ERROR: External script says:
(178) mschap-forti_com: ERROR: MS-CHAP2-Response is incorrect

.

rlm_rest (rest_reject): Closing connection (7): Hit idle_timeout, was idle for 2671 seconds
rlm_rest (rest_reject): You probably need to lower "min"
rlm_rest (rest_reject): Closing connection (8): Hit idle_timeout, was idle for 2671 seconds
rlm_rest (rest_reject): You probably need to lower "min"
rlm_rest (rest_reject): 0 of 0 connections in use. You may need to increase "spare"

.

178) rest_reject: Parsing attribute "Module-Failure-Message"
(178) rest_reject: EXPAND Credentials Invalid (MSCHAP2)
(178) rest_reject: --> Credentials Invalid (MSCHAP2)
(178) rest_reject: Module-Failure-Message := "Credentials Invalid (MSCHAP2)"

.

(178) Login incorrect (No NT-Domain was found in the User-Name): [fortilab_user] (from client 192.168.10.2 port 11 cli XX-XX-XX-XX-XX-XX via TLS tunnel)

These log messages show that the Active Directory did not respond fast enough to the credential validation query from FortiNAC.

Possible reasons can be:

Network Connectivity Issues.
Resource issue in AD.

Further investigation is required through Windows Event Viewer in AD and validating network performance.

Related documents:

Troubleshooting Tip: Viewing FortiNAC-F local RADIUS logs from GUI

Technical Tip: FortiNAC general troubleshooting guide

Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

Troubleshooting Tip: Local Winbind configuration fails to start