Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
scitlak
Staff
Staff

Created on ‎09-26-2024 04:53 AM Edited on ‎11-15-2024 03:37 AM By Community Manager

Article Id 344625

Technical Tip: How to configure FortiNAC to send the 'Message-Authenticator' attribute in Access-Accept message through Radius Authentication

Description This article describes how to fix the 'Authentication Failure' issue due to the missing 'Message-Authenticator' attribute that is mandatory with FortiOS 7.2.10 or 7.4.5.
Scope FortiNAC, FortiNAC-F.
Solution

In case of a Radius Authentication with EAP, FortiNAC will send 'Access-Accept', 'Access-Reject', or 'Access-Challenge' messages with the 'Message-Authenticator' attribute. However, when MAB is in use, the 'Message-Authenticator' attribute will not be sent by FortiNAC by default and authentication will fail with FortiOS 7.2.10 or 7.4.5. 

If 'fnbamd' debug log is enabled in FortiGate, the below debug logs can be observed.

[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest

By following the below steps, the 'Message-Authenticator' can be enabled for MAB.

  1. Under Network -> RADIUS ->Attributes Groups -> Select the Attribute Group that is already in use under Devices Model Configuration and select 'Modify'.
  2. In the left Window, filter the Attributes find the 'Message-Authenticator' attributes, and move it to the right window.
                                                 
    26.09.2024_13.16.40_REC.png                                                        

  3. Select the 'Response Values' field and keep it empty shown as below. Then Select OK.
                                                    
    26.09.2024_13.17.18_REC.png                                                               

  4. Check the Radius Authentication and enable packet capture. The FortiNAC will send the 'Message-Authenticator' attribute with the Access-Accept message. 
                                                     
    26.09.2024_12.35.47_REC (1).png                                                                       

  5.  Check the Authentication Status on FortiGate CLI and confirm it is Authorized.


26.09.2024_12.40.31_REC.png

 

Note: Since the FortiGate test Radius request with username test01 will not match any 'Network Access Policy' and 'Logical Network' and FortiGate does not use EAP for test 'Radius-Request', FortiNAC will send an 'Access-Accept' without any additional Radius Attributes. As a consequence, FortiGate will still state an 'Invalid secret for the server'.


26.09.2024_12.43.44_REC.png

 

26.09.2024_13.43.55_REC.png

 

2nd option:
Upgrade FortiNAC to v7.2.8, v7.4.1, v7.6.0 GA.
1154
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.