SSL-VPN Problems with FortiOS 7.2.10 and FortiAuthenticator

Just to share some experiences: we updated our FortiOS from 7.2.8 to 7.2.10 to stay up to date and “secure.” After the update, we realized that the SSL VPN was no longer working. After some research, including looking through posts in this subreddit, we found that FortiAuthenticator needs to be on version 6.6.2 due to changes in RADIUS communication. So, we also updated the FortiAuthenticator from 6.5.4 to 6.6.2, but the SSL VPN still didn’t work, even after trying multiple settings and configurations.

The only solution that worked in the end (since we needed it for our colleagues) was to roll back to FortiOS 7.2.8 and FortiAuthenticator 6.5.4. I also saw a post mentioning that in the FortiOS Admin Guide, under “User & Authentication” in the RADIUS Server AVPs section, the RADIUS attribute number 80 is missing, which is necessary for the Authenticator to receive RADIUS requests (if I understood this correctly).

Hi Trixtemp, thanks for sharing your experiences. I was just about to experience the same issues but this morning Fortinet released a CSB re (RADIUS authentication failure after FortiOS firmware upgrade) and I postponed the upgrade - they also linked this https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-the/ta-p/343112 which mentions “If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to 6.4.10, 6.5.6, 6.6.2, or 7.0.0”

Waiting for FortiAuth 6.5.6 (ETA ~2-3 weeks) as 6.6.2 has some bugs…

Change the radius settings on ftg to PAP and it should work. Keep in mind that PAP is not secure but at least you have a workaround until you this problem gets fixed

I’m having the same issue, but I am not using Radius or 2FA at all. I’m also running SSLVPN on a non-standard port.

We have an 80F on 7.2.10 with FortiAuthenticator on 6.6.2. CLI command to test RADIUS still fails using all authentication types. Rolled both devices back to images before the message-authenticator attribute was mandatory. Working for now. Have submitted a ticket to Fortinet.

FYI. just saw this, this morning, going from 7.2.8 to 7.2.10, should have came here first LOL

I’ve been tracking something similar: https://www.reddit.com/r/fortinet/comments/1friudm/upgrade_from_728_to_745_broke_ssl_vpn/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

After capturing logs on gate and FortiClient TAC thinks it could have something to do with DTLS. Our Gate was configured to only accept DTLS 1.2. Relaxed it to support 1.0 and 1.2. Will try again with FortiClient 7.2.4 and 7.2.5 on FortiOS 7.4.5. Our FAC is now on 6.6.2 and we are not having any issues with it. We use LDAPS sync rules for MFA with FortiToken mobile and it works fine. Not using any SAML, which may have issues.

It is also in the special notices in the release notes for 7.2.10.

https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability

Unfortunately I did not saw your answer. That would have done the trick. But better later then never :smiley: Thanks :slight_smile:

As u/Dangerous-Price7857 recommended, changing from MS-CHAPv2 to PAP solved the issue at today’s update to FortiOS v.7.4.7. This is caused when your DomainController has NTLMv1 disabled.
You can read it here :slight_smile: https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-FortiAuthenticator-v6-6-and-RADIUS/ta-p/356880

If this fixes your problem you can request a special build from Forti as mentioned in the Link :wink:

I noticed that if you use FAC for MFA, if you go to the Gate and go to User & Authentication\RADIUS Servers, you can test against your FAC. You should see a Successful Connection Status and “More Validation Required” as it is waiting for the FTKN response. If you go to the corresponding Authentication\RADIUS Service\Clients section on the FAC and enable “Require client to send Message-Authenticator attribute” then the test from the FortiGate side will fail. My understanding is that in order to mitigate the CVE, this must be enabled AFTER the upgrade to 7.2.10 or 7.4.5. I will test this Saturday AM when I have a window.

Hey Wasteway, do you know if ticking the “Require client to send Message-Authenticator attribute” on the FAC after the Gate was already on 7.2.10 was the essential step to get this working ?

It should be yes. If your Gate is upgraded to support it, your FAC needs to be also. Our FAC is on 6.6.2 and we’ve had no issue with that version.

I was able to test on 7.4.5, but rolled back to 7.2.8 on the Gate due to a forticlient issue. We should be updating to 7.4.6 when that is released. We have all FortiClients on 7.2.5 now.