Radius Attribute type 102 IPS Alerts (around 400K a week)

fortiuser12 · ‎10-05-2021

We have FGTs deployed and we dont have our FGTs configured for any RADIUS authentication service/server.

Whenever a user authentication traffic passes through the fortigate to our remote authentication RADIUS Server having attribute type of 102 in the payload (i.e EAP_KEY_NAME Attribute) - Fortigate flags it and raises it as an IPS Event. - Even though FGT is not even configured for any authentication services.

Can anyone help why is this happening? and how can i remedy this?

One way is to exempt the signature itself from getting flagged, but why is this happening in the first place and should we manually add the attribute ? - but we dont have any RADIUS Server configured or any user groups of RADIUS on our fortigate.

How can we remedy this ?

xsilver_FTNT · ‎09-07-2022

Hi fortiuser12,

if FortiGate flags the traffic as IPS event, so something like log in "Log & Report / Events" , or in "Intrusion Prevention", then it's most probably not about problem with authentication at all.
But you might have firewall policy governing that RADIUS traffic (passing through traffic), which has IPS signature which flag/block/monitor that traffic.

All the details, like policy_id, IPS profile applied etc. should be noted in the log message details (double-click on log record (or use "Details" button) and on right side there should be pop-up banner with details).

Sample:

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff