Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

OpenOTP and Fortigate

33 views
Skip to first unread message

steph...@gmail.com

unread,
Feb 17, 2025, 8:35:00 AMFeb 17
to RCDevs Security
Hello,

I have updated my Fortigate 60E from 7.0.17 to 7.4.7 and OpenOTP stopped working.

I still have v1.7.9-1, but we don't need anything interactive or push, only TOTP in the mobile app with 6 digit code.

All worked fine since few years, but now we have error with the PSK for the radius bridge

See debug log bellow, and log from WEBADM.

What can I do to resolve my problem?

img1.png

img2.png

log.png

Spyridon Gouliarmis (RCDevs)

unread,
Feb 17, 2025, 8:46:22 AMFeb 17
to RCDevs Security
Hello Steph,

you say there's a problem with the RADIUS pre-shared secret, yet you show it working fine when you use the proper secret. Are the first two screenshots from two different Fortigate versions?

The error in the last screenshot is probably that your Fortigate does not send the User-Password field in its RADIUS request. What is the corresponding radiusd debug log?

steph...@gmail.com

unread,
Feb 17, 2025, 9:05:29 AMFeb 17
to RCDevs Security
Hello,

Screenshot is from the same Fortigate

Test1 : wrong PSK in Fortigate result as "image 1"
Test2 : good PSK in Fortigate, result as "image 2" : Fortigate give me error "invalid secret from the server". If I click on the "test user credentials" in the Fortigate, Fortigate give me error, but the WebAdm log told me that all is fine. But if I test the VPN connection from Forticlient, I got "LDAP Password not provided" error

Here is the debug log for test2 :`
img3.png

Spyridon Gouliarmis (RCDevs)

unread,
Feb 17, 2025, 9:10:32 AMFeb 17
to RCDevs Security
Our product does not support CHAP, MS-CHAP and similar methods, that only pass a hash of the password, not the password itself. Perhaps the update has made Fortigate change its default method? What's available in the RADIUS server configuration? Perhaps there is is place where you can tell it to use PAP.

steph...@gmail.com

unread,
Feb 17, 2025, 10:08:55 AMFeb 17
to RCDevs Security
Hello,

I can choose "PAP" from the dropdown menu, but the debug log see a "ms-chap" request... 

Spyridon Gouliarmis (RCDevs)

unread,
Feb 17, 2025, 10:18:07 AMFeb 17
to RCDevs Security
Our "radiusd" is just a pre-configured FreeRADIUS (+ our own module and a patch regarding Message-Authenticator). This should be easily reproducible using a vanilla FreeRADIUS, which might make a convincing argument when you contact Fortinet about their software's misbehaviour. Or it works properly with FreeRADIUS and the problem might be on our side.
Reply all
Reply to author
Forward
0 new messages