Security

 View Only
  • 1.  Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 04, 2024 01:31 PM

    Hello,

    we authenticate our fortigate against clearpass, after upgrade to v7.2.10 we receive an invalid secret for server (clearpass)

    i found a solution in the fortigate community however this is limited to window server, linux free radius, cisco ise & cisco duo.

    I would like to know how to send the send message-authenticator attribute to solve this issue

    >https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-the/ta-p/343112



  • 2.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 04, 2024 02:11 PM

    Would be good to understand what version you are running today.

    In any case, ClearPass already sends by default the Message-Authenticator attribute as the first attribute in the packet. That doesn't require any configuration. Not sure if you are looking at the same issue here that is discussed in the Fortinet community.

    I recommend taking a Packet Capture on ClearPass to see the actual packets being exchanged.

    Recent ClearPass patches have only introduced an additional configurable service parameter enforcing the presence of the attribute in the request sent by the NAD: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Default.htm#ReleaseNotes/Behaviors/Behaviors-6.11.9.htm

    When enabled, this will result in ClearPass dropping any request that does not include the M-A in the first attribute for either a request or a Dynamic Authorization.



    ------------------------------
    I work for Aruba. Any opinions expressed here are solely my own and not do not represent that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 05, 2024 08:09 AM

    Clearpass version: ClearPass Policy Manager 6.11.7.257550 

    it is already clear what the solution for the problem with the authentication is (send the message-authenticator attribute), however i don't know how to implement this solution in clearpass.

    In the added link in the initial problem description it is explained.




  • 4.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 05, 2024 08:55 AM

    As mentioned, ClearPass always sends the M-A attribute by default. No extra configuration required. 

    If you want to confirm that this is happening in your environment, take a PCAP from your ClearPass server when sending a request: https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Admin/ServerConfig_collectlogs.htm

    The only capability added in the patch I called out, is to give the admin a choice to enforce this attribute on requests sent by the NAD.



    ------------------------------
    I work for Aruba. Any opinions expressed here are solely my own and not do not represent that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 05, 2024 11:25 AM

    Slight clarification:  if the Message-Authenticator AVP is present in the Access-Request, ClearPass responses will always include the AVP as well.  The toggle changes the behavior to ClearPass dropping any request that doesn't include the AVP.

    As for this specific case, have you tested using the CLI?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 06, 2024 04:09 AM

    Fortigate  v7.2.10  is not including Message-Authenticator AVP, there is no option to include this.

    Clearpass include the messeage by default.

    i asume one option is left, downgrade the fortinet an open a ticket at fortinet support..

    Any other ideas?

     




  • 7.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 06, 2024 04:31 AM

    Try CLI first to confirm if you are not only hitting the GUI test issue as @chulcher mentioned.

    "Note that on FortiOS 7.2.10, the GUI test (only) will fail because it does not send the Message-Authenticator AVP. See the known issues on FortiGate"

    https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/236526/known-issues



    ------------------------------
    I work for Aruba. Any opinions expressed here are solely my own and not do not represent that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 8.  RE: Clearpass RADIUS authentication failure after the firmware upgrade fortinet to v7.2.10

    Posted Nov 06, 2024 08:24 AM

    If you'll notice in the document that you linked, as of 7.2.10 the Message-Authenticator is ALWAYS sent, there is no configuration, that is just the default behavior.

    ClearPass is just following the lead of the NAS.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------