FGT Can't contact RADIUS server FAC

J2B4U · ‎01-17-2025

Hello yesterday I configured my FAZ to use our FAC as radius server which worked #1, todya I try to do the same thing for our FGT but I always get the "Can't contact RADIUS server". Radius client and policies are done the same way.

If I delete the policy and the client form the FAC and do a connectivity test on the FGT Radius config and I look in the FAC /debug wbe page I see a request with the error of unkkown client which is normal, but as soon as I create the client and the policy for it in my FAC and retest from the FGT which is failing I get no more logs in the /debut page of the FAC so I'm a bit confuse at what am I missing to get this to work.

rbraha · ‎01-17-2025

Hi @J2B4U

Make sure first that secret between FAC and FGT are correct, additionally if you are using FGT 7.2.10 version ,FAC should be upgraded to version 6.6.2, make sure that you can specify in CLI to set source IP which radius server can be reached or interface that can be used

config user radius
edit radius server name
set source-ip ''
set interface-select-method auto

If getting other error like No message Authenticator ,follow the guide below.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-...

J2B4U · ‎01-17-2025

FGT is in 7.2.9 and FAC in 6.6.2, secret is good

J2B4U · ‎01-17-2025

@rbraha I found the problem thanks for your link, on the FAC in the client I enabled "Require client to send Message-Authenticator attribute" and I'm in version 7.2.9 not 7.2.10 so I disable the features and it worked right away. Since my FAZ is at the latest version it was working with this feature enabled and I just replicated the same config for my FGT.

J2B4U · ‎01-20-2025

Now that communication between FGT and FAC radius is working when I try to login, enter my credential and then FGT is asking for my token, but after giving my token I get an access denied ¯\_(ツ)_/¯

Hosemacht · ‎01-23-2025

Hey there,

there is a known issue with radius between FGT and FAC, and therefore you have to enable "Require client to send Message-Authenticator attribute" on the FAC (a new feature introduced in v6.6.2 to mitigate CVE-2024-3596)

See: RADIUS authentication failure after the f... - Fortinet Community

UPDATE: sorry i didnt saw you where already informed about this issue in the first time.

sudo apt-get-rekt

J2B4U · ‎01-20-2025

forgot to add this

2025-01-20 09_40_00-Clipboard.png 2025-01-20 09_41_48-FortiGate - FortiGate-400F-M.png

rbraha · ‎01-20-2025

Hi @J2B4U

Make sure that group name is matching correctly ,try to configure the same user in FGT side and try to authenticate again, check the below guide for remote login admin
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-admin-access-using-FortiAuthenti...

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Remote-admin-login-with-Radius-se...

jackgray72 · ‎01-23-2025

Double-check that the shared secret on both the FGT pvc-boden hammer and FAC match exactly—it’s a common culprit for RADIUS connection issues.

FGT Can't contact RADIUS server FAC

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website