<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00006sRtWhCAKOkta Classic EngineSingle Sign-OnAnswered2024-04-16T12:19:41.000Z2021-03-16T02:03:50.000Z2021-03-19T19:03:19.000Z

b2swd (b2swd) asked a question.

March 16, 2021 at 2:03 AM
RADIUS fails to authenticate but logs shows otherwise

I recently configured a RADIUS Agent Server (Ubuntu 18.04) and linked the RADIUS app with Fortinet. The communication between the two is working, connectivity test is succesfull and user credential test returns:

 

AVP: l=62 t=Reply-Message(18)

Value: 'Enter the code for Email Authentication. Enter '0' to abort.'

AVP: l=110 t=State(24)

Value: 4f 58 72 4d 41 47 70 6b 48 55 79 6e 38 52 66 5a 2b 4e 46 73 4e 77 38 57 61 5a 66 34 77 79 6d 6f 63 63 42 47 43 4e 34 4b 79 56 64 2f 72 76 34 6f 78 58 2b 57 69 39 68 77 69 39 5a 43 35 59 51 52 6b 36 72 34 70 48 61 69 37 69 43 6a 30 4f 30 4b 71 79 6a 62 6f 53 65 67 66 68 39 37 7a 2f 70 35 4a 6c 67 35 50 45 54 6f 6b 6a 45 3d

AVP: l=6 t=Session-Timeout(27)

Value: 60

 

Which seems ok since its asking for my auth code.

 

Problem is, I'm trying to connect to the Forti VPN using those credentials, the client asks for the auth code, I submit and it it says "Permission Denied."

 

The logs, however, show this:

 

Authentication of user via Radius

success

 

What am I doing wrong?

 

Thanks

  • 3 answers
  • 1.1K views

  • mihail.chiru1.5471410963931125E12 (Vendor Management)

    This is Mihail from Okta Support and I'll be assisting you with this case.

     

    I would recommend doublechecking the documentation for the implementation of the configuration since when installing the RADIUS Agent you must be logged in to an account which has all three of Read-only Admin, Mobile Admin, and App admin roles, or Super admin role.

     

    In addition, Okta recommends the use of dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life-cycle of a specific user account which could be deactivated when the user is deactivated. In addition, service accounts used for RADIUS agents must be given appropriate admin permissions.

     

    For more details, please, review the documentation below or open a support ticket with us, so we can have an engineer further look into the matter:

    https://help.okta.com/en/prod/Content/Topics/integrations/Agent_Installing_the_Okta_Radius_Agent-linux.htm

    Expand Post

  • AlexeyE.97238 (Devexperts)

    @b2swd (b2swd)​  did you manage to implement any other protocol (EAP-TTLS,etc) that PAP for 2FA implementation for Fortinet VPN . We are struggling to find solution for Palo Alto VPN . Currently PAP works well but it doesn't meet our security principals.

This question is closed.
Loading
RADIUS fails to authenticate but logs shows otherwise