Issue
After upgrading to FortiOS 7.2.10 and 7.4.5 or above, RADIUS authentication with the AuthPoint Gateway fails.
In response to the BLAST RADIUS vulnerabilities (CVE-2024-3596), FortiOS now enforces verification Message-Authenticator RADIUS attribute in versions 7.2.10 and 7.4.5 and above. The AuthPoint RADIUS Gateway does not support Message-Authenticator verification, and this causes RADIUS authentication to fail.
Workaround/Solution
There is no workaround at this time. Customers who use AuthPoint MFA with impacted Fortigate devices must downgrade their Fortinet devices. Previous versions of FortiOS allow the user to disable Message-Authentication validation with RADIUS.
WatchGuard will be add support for Message-Authenticator validation in an upcoming AuthPoint release.
For a list of WatchGuard products affected by the BLAST RADIUS (CVE-2024-3596), refer to Blast-RADIUS CHAP and PAP Authentication Vulnerability CVE-2024-3596.
