Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT_DSS
New Contributor II

Created on ‎02-26-2025 06:46 AM Edited on ‎02-26-2025 07:12 AM

Using Authentik radius server - Invalid secret for the server

So i recently set up an Authentik radius server 

it works properly as tested by radtest and NTRadPing

 
 

Untitled.png

 Authentik itself also returns "accept" when asked by fortigate

Untitled1.png

 But fortigate refuses to acknowledge that anything is properly configured

 
Untitled2.png

debug response:

RTR-032 # diagnose test authserver radius VFX_Authentik pap test test
authenticate 'test' against 'pap' failed, assigned_rad_session_id=103199522320389 session_timeout=0 secs idle_timeout=0 secs!

Does anyone have any idea what could be wrong?

Labels:
261
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎02-26-2025 09:40 AM

Which version is your FortiGate?

Since CVE-2024-3596 fix, FortiOS (7.2.10 & 7.4.5) requires the "Message(Authenticator" attribute. Probably it is not enabled on your RADIUS server.
You can check with diag debug command and try again.

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable

 

On case your RADIUS server doesn't support it then try update/upgrade it.

Otherwise there is a workaround in FOS 7.2.11 & 7.4.6 that allows you disable the "Message-Authenticator" attribute.

config user radius
 edit rad1
  set require-message-authenticator disable
 end

Hope it helps.

AEK
AEK
231
IT_DSS
New Contributor II
In response to AEK

Created on ‎02-27-2025 01:25 AM Edited on ‎02-27-2025 01:29 AM

Unfortunately, neither enabling message-authenticator in Authentik radius (though i'm not sure that worked), nor disabling it in fortigate worked. In the end the fortigate still seems to want it

to be funny, diagnose against pap worked
RTR-032 # diagnose test authserver radius VFX_Authentik pap test test
authenticate 'test' against 'pap' succeeded, server=primary assigned_rad_session_id=106803002163201 session_timeout=0 secs idle_timeout=0 secs!

but testing user credentials in radius settings still doesn't work

204
0 Kudos
IT_DSS
New Contributor II
In response to IT_DSS

Created on ‎02-27-2025 01:41 AM

To be even funnier, even though the testing fails, using vpn with this radius server works O.O, thank you very much for the help

196
AEK
SuperUser
SuperUser
In response to IT_DSS

Created on ‎02-27-2025 06:58 AM

That's strange. But happy to hear that it works.

AEK
AEK
183
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.