Symptom
PAP authentication (and other unencrypted authentication methods, e.g., CHAP, MS-CHAPv2...) for Captive Portal and VPN does not work after upgrading FortiGate to the latest version.
Cause
The new software versions from Fortinet enforce the validation of the message-authenticator attribute and reject RADIUS responses with unrecognized proxy-state attributes.
This is the manufacturer's response to a vulnerability named BlastRADIUS and described in CVE-2024-3596.
We have added a patch to the NACVIEW system to support this functionality to increase communication security.
Solution
Run option #7 from the CLI menu. Then reinstall any service from the NACVIEW GUI interface and send it to the other nodes (if operating in an HA environment).
