KoreyO.99484 (Customer) asked a question.
Fortinet RADIUS Server + Okta + Fortigate 7.2.10
Our current environment has a working VPN configuration. We have a Fortigate and configured the RADIUS Server settings to point to our RADIUS window client. OKTA is the middleman in this setup. Fortinet recently released firmware version 7.2.10, and after the update, our VPN stopped working. This all points to the new requirement that the RADIUS client use a message authenticator.
Does anyone out there have a similar setup, including 7.2.10 Fortigate - and have their VPN working?
Hello @KoreyO.99484 (Customer) Thank you for posting on our Community page!
Okta is aware of this behavior, as this is a result of Fortinet resolving a RADIUS vulnerability as described in CVE-2024-3596. As a result, firewall authentication, FortiGate administrative web UI authentication, and WiFi authentication may be affected depending on the functionality of the RADIUS server software used in your environment. RFC 3579 contains information on the affected RADIUS attribute, message-authenticator. More details can be found here.
As a solution to this, we have these options:
-Move from PAP to EAP-TTLS
-Wait for us to release the updated radius agent that supports Message-Authenticator
-Move to SAML: SSL VPN with Okta as SAML IdP
Here are the supported documents that will help you with this:
- https://help.okta.com/oie/en-us/content/topics/integrations/fortinet-radius-intg-app.htm
- https://help.okta.com/oie/en-us/content/topics/integrations/about-certificates.htm
- https://help.okta.com/oie/en-us/content/topics/integrations/integrations-bp-saml.htm
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.