Greetings,
I am configuring RADIUS authentication on my Fortigate 101F running FortiOS Version 7.4.3.
The Microsoft NPS Server has been configured according to this guide.
My radius configuration is as follows:
config user radius
edit "RADIUS"
set server "172.16.9.3"
set secret PSK
set nas-ip x.x.x.x
set auth-type ms_chap_v2
set source-ip "x.x.x.x"
next
end
The connection between the Fortigate and the NPS is successful, but test user credentials test fails.
The CLI test output is as follows:
diagnose test authserver radius RADIUS mschap2 user password
authenticate 'user' against 'mschap2' failed, assigned_rad_session_id=1486429090 session_timeout=0 secs idle_timeout=0 secs!
Running a packet capture between the Firewall and the Radius Server I get an access-reject response with the following MS-CHAP error
Code: 3
ID: 190
Length: 42
Auth: 91 C7 F9 28 0A 50 59 33 13 39 B3 75 58 04 AC EE
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: '<00>E=649 R=0 V=3'
Any insight would be much appreciated.
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What does the NPS log on the Windows server say about?
The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)
On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.
Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)
Hi
Can you test user credentials by entering "domain\user" as user instead of "user"?
Created on 03-25-2024 02:21 AM Edited on 03-25-2024 02:23 AM
Hi,
yes I tried that too, but unfortunatelly I got the same error message.
From MS-CHAPv2 RFC 2759.
649 ERROR_NO_DIALIN_PERMISSION
This is related to the "dial-in" property of AD users.
You can edit that in each user's Properties > Dial-in tab. (allow | deny | control based on NPS policy)
You can also set the Network Policy in NPS itself to ignore the dialin property. (Overview tab, section "Access Permission").
Hi,
thank you for your feedback and sorry for my late reply. Unfortunately, both the options you pointed out are already selected in the NPS.
What does the NPS log on the Windows server say about?
The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)
On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.
Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)
Greetings everyone,
for some reason I fail to understand, the NPS event viewer was not displaying any error messages whatsoever.
Anyway, what I found out is that there was indeed a mismatch in policy due to an incorrect policy ordering.
Once the Fortinet-related policy was ranked-up everything warked fine.
Thanks everyone for your insight.
Hello, can you tell me what you did to solve it? Do you mean the policies in the Fortinet or the NPS policies?
Thanks
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.