Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rbenoit
New Contributor

Invalid secret RADIUS Fortigate/fortiauthenticator

Hello,

I have a problem with the Radius connection my Fortigate and my fortiauthenticator.

Last night the security team updated Fortigate to version 7.4.5 since users can no longer connect via VPN.

When I go to configuration I get this message

 

 

image.png

I checked the secret carefully and they are identical so I don't understand. The fortigate and the fortiauthenticator communicate well with each other however.

Do you have any ideas?


Thanks

 

Rémy
Rémy
1 Solution
saneeshpv_FTNT

Hi @rbenoit ,

 

Could you please upgrade your FAC to version 6.6.2 if it is Older version as we have an some enhancement made with version 7.4.5 of FortiOS as a fix for the CVE-2024-3596 and FAC should be on 6.6.2 or above to support this change. If you need more details, you may open a support case.

 

 

Best Regards,
San

View solution in original post

17 REPLIES 17
vbandha

Hi @jbrown 

Have you enabled 'Message-Authenticator' attribute on Radius Server?

 

Regards,

Varun

chad422

You got me going in the right direction man, thank you!  I'm running 7.2.10 and per this bulletin: https://help.duo.com/s/article/9012?language=en_US

I added this attribute to radius server config and boom!

 

[radius_server_auto]
<snip>

force_message_authenticator=true

 

Fireball6
New Contributor II

I've contacted Duo support and they said unfortunately the new CVE requirements are not yet compatible with the Duo Authentication Proxy.  They've escalated the case to developers.  They said my options now were to reach out to Fortigate to disable the new requirement or revert back to previous Firmware; I could also use Duo SSO rather than RADIUS.  I'm waiting for a call from Fortigate.

JNTULLIS
New Contributor

I went through the Duo SSO for Fortigate setup article yesterday and got it working for myself but others received errors when trying to connect.  The SSO / SAML setup also requires a change on the client (checking the SSO box).  I wanted to avoid having to change all of the clients, so I ended up just removing the RADIUS Duo Auth Proxy Remote Group and went back to just authenticating with an AD group for the Duo SSL VPN group on the FortiGate for the time being until I can get SSO working.  I really wish Duo would fix the Auth Proxy, but I seriously doubt they will.

Fireball6
New Contributor II

I didn't want to rush into configuring Duo SSO so we reverted back to 7.4.4 and the vpn is working now.  We'll either configure Duo SSO or see if Duo has a fix for the Duo Authenticator Proxy.  Thanks.  

amuda
Staff
Staff
SomeoneNew
New Contributor

Put me in the ME TOO category.

 

JThesis
New Contributor

Hi,

Same here...

I had a support ticket because of issues with VPN firewall rules.

They told us to upgrade the FTG to 7.4.5... and know I discover that Radius is no more working with Duo ??

Very interesting, do the support knows the ongoing issues when they advice someone to upgrade their FTG ? Because if they did know that I hope they wouldn't tell us to upgrade as now the VPN is no more working at all...

 

We are using Forti since now 6 months (after Zyxel)), and to be honest, there are a lot, I mean A LOT of issues... this is really not nice to work with you guys... There are always issues with your firmwares. We upgrade to fix an issue and TADA a new issue now.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors