Description
This article describes why 3rd party Radius server received multiple failed attempts from user authenticating.
Related document:
Fortinet CLI reference
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/403620/user-radius
Scope
FortiGate.
Solution
By default, when Radius authentication configured, it will use authentication protocol as 'auto'.
config user radius
(radius)edit RAD <----- New entry 'RAD' added.
(RAD)set auth-type
In GUI:
auto(in GUI default) <----- Use PAP, MSCHAP_v2, and CHAP (in that order).
ms_chap_v2 <----- Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap <----- Microsoft Challenge Handshake Authentication Protocol.
chap <----- Challenge Handshake Authentication Protocol.
pap <----- Password Authentication Protocol.
When 'auth-type' is set to 'auto', FortiGate will use PAP, MS_CHAPv2, and CHAP (in that order).
So it will use all 3 protocols when connecting to the Radius server.
If Radius server is configured to limit the failed attempts, then the wrong protocol will be counted as failed attempts.
Eventually user will be rejected to authenticate.
To resolve this, configure manually the right protocol that is used by Radius server.
For example, Radius server is using 'pap' protocol
config user radius
(radius) # edit RAD
(RAD) # set auth-type pap
