Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DaveG-PW
New Contributor

Created on ‎01-27-2025 05:50 AM

Fortigate RADIUS with Microsoft NAS

Hi,

 

I’m having a lot of trouble getting ourFortiGate firewalls (100Fs /  v7.2.10 build1706) to connect to our Microsoft NAS RADIUS server (Windows Server 2022).

 

In NAS there is a tick box that says “Access-Request messages must contain the Message-Authenticator attribute”, my research shows that given version of the Forti software we are running, this should be ticked, however with this ticked Forti reports “Unable to reach RADIUS server” and Windows Event Viewer shows:

 

An Access-Request message was received from RADIUS client 10.10.100.1 without a Message-Authenticator attribute when a Message-Authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the Message-Authenticator attribute in the request" checkbox) and the configuration of the network access server.

 

If I untick it then Forti reports invalid secret (even though it’s been triple checked, reset, and checked some more) and event viewer shows

 

An Access-Request message was received from RADIUS client 10.10.100.1 with a Message-Authenticator attribute that is not valid.

 

If my own laptop as a client in NAS an use something like radlogin, it communicated with server ok so it seems to be an issue specific to Forti.

 

Thanks

Labels:
891
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎01-27-2025 06:19 AM

Hi Dave

Are you hitting this known issue?

1075627

On the User & Authentication > RADIUS Servers page, the Test Connectivity and Test User Credentials buttons may incorrectly return a Can't contact RADIUS server error message when testing against a RADIUS server that requires the message-authentication attribute in the access request from the FortiGate.

This is a GUI display issue as the actual RADIUS connection does send the message-authentication attribute.

Workaround: confirm if the connection to RADIUS server using the CLI:

diagnose test authserver radius <server> <method> <user> <password>

AEK
AEK
885
0 Kudos
DaveG-PW
New Contributor
In response to AEK

Created on ‎01-27-2025 07:02 AM

Doesn't appear so, if I try the command then I get the following:

 

authenticate 'myusername' against 'chap' failed(no response), assigned_rad_session_id=450523000 session_timeout=0 secs idle_timeout=0 secs!

 

And nothing shows up in event viewer, I've tried with all 4 auth methods.

877
0 Kudos
AEK
SuperUser
SuperUser
In response to DaveG-PW

Created on ‎01-27-2025 07:06 AM

Are you sure the method is chap? Can you try others?

AEK
AEK
875
0 Kudos
DaveG-PW
New Contributor
In response to AEK

Created on ‎01-27-2025 07:08 AM Edited on ‎01-27-2025 07:11 AM

Hi, I have tried with all 4 methods with the same result, checking the config in NAS all auth methods are enabled.

872
0 Kudos
AEK
SuperUser
SuperUser
In response to DaveG-PW

Created on ‎01-27-2025 07:16 AM

You tried them while “Access-Request messages must contain the Message-Authenticator attribute” is enabled in your NPS, right? Because as you are using FOS 7.2.10 it must be enabled.

AEK
AEK
868
0 Kudos
DaveG-PW
New Contributor
In response to AEK

Created on ‎01-27-2025 07:18 AM

Yes at the moment I have that ticked, I did try without it as well and got the messages shown in the original post.

864
0 Kudos
ebilcari
Staff
Staff

Created on ‎01-27-2025 07:19 AM

You can read more about this behavior (Blast RADIUS) in this article. 

A packet capture for RADIUS communication between FGT and NPS will tell if the new required attribute is present on sent/received packets.

Some details are also shown in the FGT GUI:

rad-test.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
863
0 Kudos
DaveG-PW
New Contributor
In response to ebilcari

Created on ‎01-27-2025 07:30 AM

I've taken a look at that article and ran the command to turn on debugging.

However I don't see that "Server message" section in the GUI when testing?

856
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.