Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎04-22-2021 04:48 AM

Article Id 191628

Technical Tip: IKEV2 certificate authentication (EAP) with remote RADIUS server fails

Description
With FortiOS 6.2.3, IKEV2 certificate authentication (EAP) with remote Radius server does not work despite working correctly in earlier FortiOS versions.

Solution
Run the following debugs:
# diag debug reset
# diag debug console timestamp enable
# diag debug app fnbamd -1
# diag debug app ike -1
# diag debug app eap_proxy -1
# diag debug enable
It would show that authentication is failing and radius server is returning the result as 1.
[2459] fnbamd_auth_handle_radius_result <----- Result for RADIUS svr 'FAC' 10.10.10.5(1) is 1
[181] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1941161457
[724] destroy_auth_session-delete session 1941161457
[2733] handle_req-Rcvd abort req for 1941161457
Check debugs further and they will be showing the following error.
[1568] __radius_decode_mppe_key-Incorrect attribute length 50.
[1568] __radius_decode_mppe_key-Incorrect attribute length 50.
Solution.

This is a known issue 0610390 in FortiOS 6.2.3 where MPPE key uses only one specific size.

The issue is resolved in v6.2.5 and an upgrade to 6.2.5 is required to fix this.

Labels:
1235
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.