Just to share some experiences: we updated our FortiOS from 7.2.8 to 7.2.10 to stay up to date and “secure.” After the update, we realized that the SSL VPN was no longer working. After some research, including looking through posts in this subreddit, we found that FortiAuthenticator needs to be on version 6.6.2 due to changes in RADIUS communication. So, we also updated the FortiAuthenticator from 6.5.4 to 6.6.2, but the SSL VPN still didn’t work, even after trying multiple settings and configurations.
The only solution that worked in the end (since we needed it for our colleagues) was to roll back to FortiOS 7.2.8 and FortiAuthenticator 6.5.4. I also saw a post mentioning that in the FortiOS Admin Guide, under “User & Authentication” in the RADIUS Server AVPs section, the RADIUS attribute number 80 is missing, which is necessary for the Authenticator to receive RADIUS requests (if I understood this correctly).
Hi Trixtemp, thanks for sharing your experiences. I was just about to experience the same issues but this morning Fortinet released a CSB re (RADIUS authentication failure after FortiOS firmware upgrade) and I postponed the upgrade - they also linked this https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-the/ta-p/343112 which mentions “If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to 6.4.10, 6.5.6, 6.6.2, or 7.0.0”
Waiting for FortiAuth 6.5.6 (ETA ~2-3 weeks) as 6.6.2 has some bugs…
Change the radius settings on ftg to PAP and it should work. Keep in mind that PAP is not secure but at least you have a workaround until you this problem gets fixed
We have an 80F on 7.2.10 with FortiAuthenticator on 6.6.2. CLI command to test RADIUS still fails using all authentication types. Rolled both devices back to images before the message-authenticator attribute was mandatory. Working for now. Have submitted a ticket to Fortinet.
After capturing logs on gate and FortiClient TAC thinks it could have something to do with DTLS. Our Gate was configured to only accept DTLS 1.2. Relaxed it to support 1.0 and 1.2. Will try again with FortiClient 7.2.4 and 7.2.5 on FortiOS 7.4.5. Our FAC is now on 6.6.2 and we are not having any issues with it. We use LDAPS sync rules for MFA with FortiToken mobile and it works fine. Not using any SAML, which may have issues.
I noticed that if you use FAC for MFA, if you go to the Gate and go to User & Authentication\RADIUS Servers, you can test against your FAC. You should see a Successful Connection Status and “More Validation Required” as it is waiting for the FTKN response. If you go to the corresponding Authentication\RADIUS Service\Clients section on the FAC and enable “Require client to send Message-Authenticator attribute” then the test from the FortiGate side will fail. My understanding is that in order to mitigate the CVE, this must be enabled AFTER the upgrade to 7.2.10 or 7.4.5. I will test this Saturday AM when I have a window.
Hey Wasteway, do you know if ticking the “Require client to send Message-Authenticator attribute” on the FAC after the Gate was already on 7.2.10 was the essential step to get this working ?
I was able to test on 7.4.5, but rolled back to 7.2.8 on the Gate due to a forticlient issue. We should be updating to 7.4.6 when that is released. We have all FortiClients on 7.2.5 now.