Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RBA
Staff
Staff

Created on ‎12-31-2024 01:50 AM Edited on ‎03-03-2025 03:13 PM By Staff

Article Id 367541

Technical Tip: Workaround for Blast RADIUS mitigation behavior in v7.2.11, v7.4.6 and v7.6.1

Description This article describes how to overcome the mandatory attribute 'Message-Authenticator' set in access-request.
Scope FortiGate v7.2.11, v7.4.6 and v7.6.1.
Solution

After upgrading the FortiGate to v7.2.10, v7.4.5, or v7.6.1, the RADIUS connection will show as failed with an error message of 'Invalid secret for the server' or 'No message-authenticator attribute'. This is due to the applied mitigations to protect against the Blast RADIUS vulnerability.


There are servers and the products that have been listed as end of support (EOS) does not have the latest fix or scenarios where current attributes cannot be enabled on the server.

 

To address this problem, as a workaround a config has been provided under FortiGate Radius config to allow administrators to control Blast RADIUS mitigation behavior.

 

The default action is set to Enable. With default action when the server does not respond with the message-authenticator attribute the failure logs would appear as below.

 

Access-Request:

 

Screenshot 20222.png

 

Access-Accept:

 

Screenshot 2024-12-31 145104.png

 

Debugs:

 

[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1212] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'radius' is 5, req 19542270672899
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 1, State_Len: 0

 

Set the require-message-authenticator attribute action to 'disable'.

 

config user radius
    edit "radius"
        set server "xx.xx.xx.xx"
        set require-message-authenticator disable
    next
end

 

The above changes would result in authentication being successful without the attribute:

 

[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is optional now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 2
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'radius' is 0, req 19542270672900
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0

 

 

In v7.4.6 and v7.6.1, when the Radius server has the require-message-authenticator setting disabled, The GUI RADIUS Server dialog -> 'Test connectivity' and 'Test user credentials' still checks for the message-authenticator value and incorrectly fails the test with 'missing authenticator' error message.

 

This is only a GUI display issue and the end-to-end integration with the Radius server should still work.

Workaround:

The user can confirm the connection to the RADIUS server via the CLI command:


diagnose test authserver radius <server> <method> <user> <password>

 

The behavior is fixed on the following versions: v7.2.11, v7.4.8, v7.6.3.

 

Related article:

Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...
7248
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.