Unable to authenticate radius users

turipriv · ‎03-19-2024

Greetings,

I am configuring RADIUS authentication on my Fortigate 101F running FortiOS Version 7.4.3.

The Microsoft NPS Server has been configured according to this guide.

My radius configuration is as follows:

config user radius
edit "RADIUS"
set server "172.16.9.3"
set secret PSK
set nas-ip x.x.x.x
set auth-type ms_chap_v2
set source-ip "x.x.x.x"
next
end

The connection between the Fortigate and the NPS is successful, but test user credentials test fails.

The CLI test output is as follows:

diagnose test authserver radius RADIUS mschap2 user password
authenticate 'user' against 'mschap2' failed, assigned_rad_session_id=1486429090 session_timeout=0 secs idle_timeout=0 secs!

Running a packet capture between the Firewall and the Radius Server I get an access-reject response with the following MS-CHAP error

Code: 3
ID: 190
Length: 42
Auth: 91 C7 F9 28 0A 50 59 33 13 39 B3 75 58 04 AC EE
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: '<00>E=649 R=0 V=3'

Any insight would be much appreciated.

Thanks in advance.

I'm too lazy for a creative signature

pminarik · ‎03-25-2024

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

[ corrections always welcome ]

View solution in original post

AEK · ‎03-20-2024

Hi

Can you test user credentials by entering "domain\user" as user instead of "user"?

AEK

turipriv · ‎03-25-2024

Hi,

yes I tried that too, but unfortunatelly I got the same error message.

I'm too lazy for a creative signature

pminarik · ‎03-20-2024

From MS-CHAPv2 RFC 2759.

649 ERROR_NO_DIALIN_PERMISSION

This is related to the "dial-in" property of AD users.

You can edit that in each user's Properties > Dial-in tab. (allow | deny | control based on NPS policy)

You can also set the Network Policy in NPS itself to ignore the dialin property. (Overview tab, section "Access Permission").

[ corrections always welcome ]

turipriv · ‎03-25-2024

Hi,

thank you for your feedback and sorry for my late reply. Unfortunately, both the options you pointed out are already selected in the NPS.

I'm too lazy for a creative signature

pminarik · ‎03-25-2024

What does the NPS log on the Windows server say about?

The error code is very specific and should be very clear, so I would rather trust the NPS. No offense intended. :)

On the NPS server: Event Log Viewer > Custom Views > Server Roles > Network and Policy Access Services.

Find the entry/entries for the rejected attempt. Check what it says. Also pay close attention to and check what rule/policy the attempt matched. (if you have multiple, maybe the matching is not as you expect)

[ corrections always welcome ]

turipriv · ‎04-05-2024

Greetings everyone,

for some reason I fail to understand, the NPS event viewer was not displaying any error messages whatsoever.

Anyway, what I found out is that there was indeed a mismatch in policy due to an incorrect policy ordering.

Once the Fortinet-related policy was ranked-up everything warked fine.

Thanks everyone for your insight.

I'm too lazy for a creative signature

martisg1 · ‎04-05-2024

Usually weird thing with NPS it's a certificate issue. Check out the cert being served up by NPS under the network policy settings. The last weird NPS thing problem was generating a new cert with OpenSSL and not using the Microsoft CA cert. Something was up with their PKI and and didn't feel like spending 2 weeks trying to figure it out since its not really my strong suit.

https://vlc.onl/