Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
turipriv
New Contributor II

Created on ‎03-19-2024 08:04 AM Edited on ‎03-19-2024 08:05 AM

Unable to authenticate radius users

Greetings,

 

I am configuring RADIUS authentication on my Fortigate 101F running FortiOS Version 7.4.3.

 

The Microsoft NPS Server has been configured according to this guide.

 

My radius configuration is as follows:

 

config user radius
edit "RADIUS"
set server "172.16.9.3"
set secret PSK
set nas-ip x.x.x.x
set auth-type ms_chap_v2
set source-ip "x.x.x.x"
next
end

 

The connection between the Fortigate and the NPS is successful, but test user credentials test fails.

 

The CLI test output is as follows:

 

diagnose test authserver radius RADIUS mschap2 user password
authenticate 'user' against 'mschap2' failed, assigned_rad_session_id=1486429090 session_timeout=0 secs idle_timeout=0 secs!

 

Running a packet capture between the Firewall and the Radius Server I get an access-reject response with the following MS-CHAP error

 

Code: 3
ID: 190
Length: 42
Auth: 91 C7 F9 28 0A 50 59 33 13 39 B3 75 58 04 AC EE
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: '<00>E=649 R=0 V=3'

 

Any insight would be much appreciated.

 

Thanks in advance.

I'm too lazy for a creative signature
I'm too lazy for a creative signature
Labels:
4325
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to turipriv

Created on ‎03-25-2024 04:22 AM

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

 

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

[ corrections always welcome ]

View solution in original post

4149
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎03-20-2024 03:03 AM

Hi

Can you test user credentials by entering "domain\user" as user instead of "user"?

AEK
AEK
4309
turipriv
New Contributor II
In response to AEK

Created on ‎03-25-2024 02:21 AM Edited on ‎03-25-2024 02:23 AM

Hi,

 

yes I tried that too, but unfortunatelly I got the same error message.

testrRadius.png

I'm too lazy for a creative signature
I'm too lazy for a creative signature
4175
0 Kudos
pminarik
Staff
Staff

Created on ‎03-20-2024 03:11 AM Edited on ‎03-20-2024 03:13 AM

From MS-CHAPv2 RFC 2759.

649 ERROR_NO_DIALIN_PERMISSION 

 This is related to the "dial-in" property of AD users.

You can edit that in each user's Properties > Dial-in tab. (allow | deny | control based on NPS policy)

You can also set the Network Policy in NPS itself to ignore the dialin property. (Overview tab, section "Access Permission").

 

user_dialin_property.pngNPS_policy.png

[ corrections always welcome ]
4303
turipriv
New Contributor II
In response to pminarik

Created on ‎03-25-2024 02:14 AM

Hi,

 

thank you for your feedback and sorry for my late reply. Unfortunately, both the options you pointed out are already selected in the NPS.

 

 

I'm too lazy for a creative signature
I'm too lazy for a creative signature
4185
0 Kudos
pminarik
Staff
Staff
In response to turipriv

Created on ‎03-25-2024 04:22 AM

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

 

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

[ corrections always welcome ]
4150
turipriv
New Contributor II

Created on ‎04-05-2024 01:58 AM Edited on ‎04-05-2024 02:02 AM

Greetings everyone,

 

for some reason I fail to understand, the NPS event viewer was not displaying any error messages whatsoever.

 

Anyway, what I found out is that there was indeed a mismatch in policy due to an incorrect policy ordering.

 

Once the Fortinet-related policy was ranked-up everything warked fine.

 

Thanks everyone for your insight.

I'm too lazy for a creative signature
I'm too lazy for a creative signature
4008
amg7
New Contributor
In response to turipriv

Created on ‎07-16-2024 03:32 AM

Hello, can you tell me what you did to solve it? Do you mean the policies in the Fortinet or the NPS policies?

Thanks
Regards

2353
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.