I'm working on migrating my home OpenSUSE machine I'm using for freeradius server to authenticate admin and VPN users on my FG40F(7.2.8) from Leap 15.3 to 15.5(on a new machine). Obviously 15.5's repo has a newer version of freeradius-server image.
Then when I simply copied "clients.conf" and "users" file to the new machine and pointed the RADIUS config at the 40F to the new machine, the RADIUS auth request was simply dropped without showing much reason in debug output other than "missing mandatory attribute".
After some research and investigation, I figured out I had to set "require_message_authenticator = no" in the client config for the 40F at the server, which was not required with the older version of freeradius, in order to let the server accept those requests from the 40F.
So I found a way around but now wondering why 40F wouldn't send the Message-Authenticator attribute with the request.
Even with 7.4.4, the admin guide says it doesn't send the attribute.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/952303/radius-avps-and-vsas
While Fortiswitch 7.2.8 admin guide says it DOES send the attribute, AVP Type=80.
https://docs.fortinet.com/document/fortiswitch/7.2.8/administration-guide/137894/appendix-b-supporte...
Does anyone know the reason why this part is different between FortiOS and FortiSwitchOS?
The comment in the client.conf file shows below:
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
Thanks,
Toshi
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Toshi_Esumi
They have made it mandatory in FortiOS 7.4.5
https://docs.fortinet.com/document/fortigate/7.4.5/fortios-release-notes/5880/radius-vulnerability
Regards,
Varun
FortiOS only sends it when performing EAP authentication (where it is mandatory).
I'd be curious to see how "consistent" FortiSwitch is with this, given that the attribute is mentioned only with MAB and EAP (802.1x). At the same time, I can't quite recall if there is a scenario where a FSW would want to do plain, non-EAP, non-MAB, PAP/CHAP/MSCHAPv2 authentication.
Created on 07-22-2024 08:54 AM Edited on 07-22-2024 08:55 AM
So you're saying basically the 7.4.4 admin guide's description is incorrect, and FGTs do send that attribute with a condition.
The RFC 5080 states...
Any Access-Request packet that performs authorization checks, including Call Check, SHOULD contain a Message-Authenticator attribute.
So I wouldn't argue with them for the freeradius' expectation with the newer version (I almost asked this to them) and not only EAP but also non-EAP admin&VPN user auth requests should have this attribute.
But further arguing this with FTNT and submit a new feature request would take my time and effort. So I'll settle with my current "workaround" for this issue.
Thank you for your prompt response @pminarik. I expected for this post to sit there without any comments a while.
Toshi
> Any Access-Request packet that performs authorization checks,
My reading of that RFC5080 section is that it discusses, and applies to, situations where an Access-Request is attempting to do only authorization, i.e. completely or essentially (MAB) without a password (provide username/MAC -> get info).
With that said, I am not an expert, so dissent is welcome.
Hi @Toshi_Esumi
They have made it mandatory in FortiOS 7.4.5
https://docs.fortinet.com/document/fortigate/7.4.5/fortios-release-notes/5880/radius-vulnerability
Regards,
Varun
Created on 09-25-2024 07:24 PM Edited on 09-25-2024 07:32 PM
Thanks @vbandha reminding this to me. So somebody must have listened to my cry in this thread or many others' cries about this issue then implemented it to 7.4.5 as well as 7.2.10, then exploited some problems on the server side as the result like below:
https://community.fortinet.com/t5/Support-Forum/7-2-10-Breaks-DUO-Radius-proxy/m-p/344254#M251973
I need to re-test my home setting by removing the exception from my freeRADIUS server. I already upgraded my 40F to 7.2.10 yesterday without knowing about this change.
Toshi
Just FYI. It works now without the "require_message_authenticator = no" flag on freeRADIUS side.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.