Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: 7.2.10 Breaks DUO Radius proxy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7.2.10 Breaks DUO Radius proxy
We have a few customers who use the DUO Radius proxy to provide 2fa for the VPN. After an automatic update to 7.2.10 the user receives the DUO prompt, but authentication never completes. There is a known bug int the release notes about radius not working in the UI, and the workaround is to use the CLI to test authentication, but not that it would break any actual functionality.
For now we have rolled back to 7.2.9 but just wanted to give a heads up.
omegle xender
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@salehaThank you for confirming this, although the last doc you referred, which I already read through yesterday, doesn't sound so promising.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just ran into this today after upgrading from 7.2.9 to 7.2.10, using Duo Auth Proxy as the RADIUS server. One effective workaround for this that I worked out is to switch from using ad_client as the authentication source for Duo, to using radius_client. Thanks Saleha for this link:
https://help.duo.com/s/article/9014?language=en_US
That put me on the right track to realize that if you pass through the Message Authenticator attribute to a patched MS NPS server, you'll get one back too, and it will satisfy the Fortinet requirement introduced in 7.2.10. If you don't already have NPS configured to serve RADIUS, you'll need to configure it. Then set up your Duo Auth Proxy like this:
**********************
[radius_client]
host=<ip address of your primary NPS server>
host_2=<ip address of your secondary NPS server>
secret_protected=<removed>
pass_through_all=true
retries=1
[radius_server_auto]
ikey=<removed>
skey_protected=<removed>
api_host=<removed>
radius_ip_1=<the IP or subnet of your devices that use Duo for RADIUS authentication>
radius_secret_protected_1=<removed>
failmode=secure
client=radius_client
port=1812
pass_through_all=true
*************************
You still need the [ad_client] section of the config file for synchronizing AD to the Duo cloud, but I didn't include it here because it doesn't change.
Note that pass_through_all is enabled for both the client and server section. I have my FortiGate configured to use MSCHAPv2 for the authentication type but I'm not sure that matters, as long as the NPS config is in agreement (note that if you do use MSCHAPv2 you also have to enable this registry setting on the NPS server and reboot):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy]
"Enable NTLMv2 Compatibility"=dword:00000001
Other than that, it's just a matter of setting up a RADIUS client on NPS that corresponds to your Duo Auth Proxy, and setting up a policy that allows access when the appropriate conditions are met (e.g. client friendly name, authentication type, Windows groups, etc).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm wondering if "ad_client" uses LDAP. Does anyone know?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, ad_client uses LDAP. There are several choices for how to authenticate (mine is using SSPI) and you can choose to encrypt (LDAPS) or not, but it's definitely still AD over LDAP. I think that's actually at the heart of the issue: ad_client is an LDAP-based authentication source for Duo, so it can't generate a RADIUS Message-Authenticator attribute synthetically. The FortiGate sends the request back to Duo with Message-Authenticator because that half is RADIUS, but the back half is not RADIUS when it's ad_client, so it has no way to handle Message-Authenticator.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Duo released version 6.4.2 to fix this:
Version 6.4.2 - October 21, 2024
- Adds the configuration option force_message_authenticator to radius_server modules.
- Set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets.
- Ensures that reply packets containing a message-authenticator attribute send that as the first attribute.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FortiUsr,
Thank you for the informative update. Here is the page from DUO reflecting what you mentioned about DUO version 6.4.2 or later supporting this change:
https://help.duo.com/s/article/9014?language=en_US
Thank you,
saleha
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortiauthenticator 6.6.2 somehow caching duo ldap... 64 Views
- 7.2.10 Breaks DUO Radius proxy 3234 Views
- What FortiOS Event Logs should i... 1151 Views
- issue in arp responce 266 Views
- FortiGate FGT200F-HA2 VPN DUO 2FA access... 449 Views
Labels
-
FortiGate
8,293 -
FortiClient
1,675 -
5.2
801 -
FortiManager
697 -
5.4
639 -
FortiAnalyzer
529 -
FortiSwitch
449 -
FortiAP
444 -
6.0
416 -
FortiClient EMS
386 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
199 -
5.0
196 -
FortiWeb
194 -
IPsec
170 -
FortiNAC
169 -
FortiGuard
132 -
6.4
128 -
SD-WAN
101 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
79 -
Wireless Controller
76 -
Customer Service
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
46 -
High Availability
46 -
ZTNA
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
40 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
32 -
Certificate
32 -
Interface
31 -
SSO
29 -
NAT
29 -
FortiConnect
28 -
Authentication
28 -
RADIUS
26 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
22 -
Virtual IP
22 -
Web profile
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Admin
12 -
Static route
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
Automation
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiDeceptor
6 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1613 | |
| 1055 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.