Technical Tip: How to avoid authentication failure for 'local admin accounts' on FortiAuthenticator in Radius-Access Requests from Radius-Clients

akanibek · ‎03-01-2024

Description

This article describes how to avoid radius authentication failures for local admin-profiled accounts on FortiAuthenticator (FAC), when a request comes from Radius-Clients.

Scenario:

FortiAuthenticator acts as Radius Server.
There are several Radius Clients (switches, routers, etc).
Authentication methods between Radius Server and Clients are other PAP.
There is a local admin account fac. admin, which can be used to authenticate on devices above as SSO.

Scope

FortiAuthenticator v6.3.X, v6.4.X, v6.5.X and v6.6.X.

***FortiGate as Radius client. It could be any other Radius Client.

Solution

According to the admin guide, local admins can be used for Radius authentication with two mandatory options:

Enable the option ‘Allow Radius Authentication’ (configured in the user section):

PAP as authentication method (configured in radius settings of Radius-client). Article from the documentation Administrators.

Below, it is possible to see the debug outputs for the different authentication methods selected (informing that there was FortiGate used as a Radius Client). It has been tested with an SSL VPN connection:

Authentication method selected PAP on FGT Radius settings, or default (there are only snippets of debugs from FAC’s radius debug):

---------------------------------------------------------------------------

2024-02-29T08:19:20.952159+01:00 FortiAuthenticator radiusd[14827]: (83) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-29T08:19:20.952245+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Client type: external (subtype: radius)
2024-02-29T08:19:20.952256+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Input raw_username: (null) Realm: (null) username: fac.admin
2024-02-29T08:19:20.952265+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Searching default realm as well
2024-02-29T08:19:20.952291+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Realm not specified, default goes to FAC local user
2024-02-29T08:19:20.954251+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Local user found: fac.admin
2024-02-29T08:19:20.954279+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-02-29T08:19:20.954292+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-02-29T08:19:20.954304+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-02-29T08:19:20.967255+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Authentication OK
2024-02-29T08:19:20.967329+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Setting 'Post-Auth-Type := FACAUTH'
2024-02-29T08:19:20.968740+01:00 FortiAuthenticator radiusd[14827]: (83) facauth: Updated auth log 'fac.admin': Local administrator authentication with no token successful
2024-02-29T08:19:20.968851+01:00 FortiAuthenticator radiusd[14827]: (83) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-29T08:19:20.969044+01:00 FortiAuthenticator radiusd[14827]: (83) Sent Access-Accept Id 23 from 172.20.20.20:1812 to 172.20.20.1:21408 length 20

---------------------------------------------------

Authentication method is – mschap-v2, debug outputs from FortiAuthenticator:

---------------------------------------------------

2024-02-28T17:24:24.159749+01:00 FortiAuthenticator radiusd[14827]: Not doing PAP as Auth-Type is already set.
2024-02-28T17:24:24.159759+01:00 FortiAuthenticator radiusd[14827]: (74) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-28T17:24:24.159779+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Client type: external (subtype: radius)
2024-02-28T17:24:24.159785+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Input raw_username: (null) Realm: (null) username: fac.admin
2024-02-28T17:24:24.159791+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Searching default realm as well
2024-02-28T17:24:24.159799+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Realm not specified, default goes to FAC local user
2024-02-28T17:24:24.160697+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Local user found: fac.admin
2024-02-28T17:24:24.160707+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-02-28T17:24:24.160714+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-02-28T17:24:24.160721+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-02-28T17:24:24.160730+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: ERROR: ERROR: local user 'fac.admin' auth require "User-Password" (pap)
2024-02-28T17:24:24.160743+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Authentication failed
2024-02-28T17:24:24.160794+01:00 FortiAuthenticator radiusd[14827]: (74) facauth: Updated auth log 'fac.admin': Local administrator authentication(mschap) with no token failed: invalid user parameter
2024-02-28T17:24:24.160814+01:00 FortiAuthenticator radiusd[14827]: (74) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-02-28T17:24:24.492177+01:00 FortiAuthenticator radiusd[14827]: Waking up in 0.6 seconds.
2024-02-28T17:24:25.164202+01:00 FortiAuthenticator radiusd[14827]: (74) Sent Access-Reject Id 3 from 172.20.20.20:1812 to 172.20.20.1:13741 length 2

---------------------------------------