Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
martinsc
New Contributor

Created on ‎10-17-2024 04:20 AM

Radius connection does not work anymore after upgrading from 7.2.9 to 7.2.10

Hello everybody,

 

I have upgraded my FGT60F today from 7.2.6 to 7.2.9 and then to 7.2.10
This has been working fine without any issue.

After a while I noticed, that the VPN-Clients were not able to connect anymore.
When I inspected the Radius Server Connection (freeradius), it says:

 

Connection status: credentials not valid 

 

 

I tried a few settings, whether I will get the connection back - but this did not work.

 

After changing back to 7.2.9 the connection with the radius server worked again.

Any ideas, what the problem could be?

 

 

Thanks,
Martin

 

 

 

Labels:
198
0 Kudos
11 REPLIES 11
AEK
SuperUser
SuperUser

Created on ‎10-17-2024 04:27 AM

Hi Martin

This is due to a new RADIUS vulnerability.

https://www.fortiguard.com/psirt/FG-IR-24-255

If I'm not wrong the solution is to use RADSEC.

AEK
AEK
185
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-17-2024 04:31 AM

Additionally you may check this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-...

 

AEK
AEK
178
0 Kudos
martinsc
New Contributor

Created on ‎10-17-2024 05:42 AM

Thanks for your quick answer!
Martin

127
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-17-2024 08:13 AM

Hold on. I had the opposite experience, it didn't work when FGT was 7.2.9 and the freeRADIUS was upgraded to the latest. So I had to exempt the FGT from Message-Authenticator attribute check as I posted before.
https://community.fortinet.com/t5/Support-Forum/RADIUS-attribute-Message-Authenticator/td-p/327120

So do you have this "require_message_authenticator = no" flag set? I would assume it would still work with 7.2.10 with this exception. Or you might need to upgrade the freeRADIUS to the latest.

Toshi

91
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-17-2024 08:19 AM

But your error is different from my case. Does it fail if you create a new user/set a new credential and try connecting VPN? Run "radiusd -X" to check the detail when it fails.

Toshi

90
0 Kudos
arahman
Staff
Staff

Created on ‎10-17-2024 01:36 PM

Hi, please make sure your free radius is one of this version 3.0.26, 3.2.3, 3.2.5, 3.2.6. as these are working with FortiGate

27
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-17-2024 01:46 PM

By the way, mine is 3.0.25 and working fine with 7.2.10.

Toshi

21
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-17-2024 02:10 PM

Hi Toshi, Rahman

Does it mean RADSEC is not mandatory?

AEK
AEK
15
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-17-2024 02:26 PM Edited on ‎10-17-2024 02:32 PM

RADSEC is to just encrypt/encapsulate RADIUS UDP traffic in TLS, which is not available with 7.2.x anyway. As long as the server side can handle/reply FGT's auth request message with Message-Authenticator attribute, which most recent/decent servers do, it should work fine.

Or, RADSEC is more to address the security issue if the unencrypted RADIUS traffic goes over the internet.

Toshi

8
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.