Thanks Matthew - You are dead right - mschap was missing from the default config file but was there for inner-tunnel - Once I found I could test inner-tunnel with a different port and found that did work I found the difference looking at the configs. Shame I didn't see your reply first as would have saved me some time. Not too worried about speed as it'll only be handling a few requests a day as its just for VPN authentication which is only used by a handful of users intermittently. Next is the harder process of adding OTP in for 2FA. A quick read indicates there is a standard for a radius response that the Fortiate supports as in my head I assumed I would have to have them put the auth code in the password or username with a character seperator and have freeradius split it. Reading time to make sure I start off with the right process and toolset. I'd like to support standard OTP so users can use Google Auth, Microsoft Auth or Authy on their devices but we'll see. I still have to work out how the initial OTP "codes" are generated against users on the AD server etc. Read, read, read. On Fri, May 30, 2025 at 8:07 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 30/05/2025 03:37, Matthew Beechey wrote:
(4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop
...
(4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
You've removed 'mschap' from the authenticate section.
A successful query with NTRadPing from a windows PC with DEFAULT Auth-Type = ntlm_auth set in the authorize file it success with this in the debug
(0) Received Access-Request Id 47 from 192.168.0.200:64897 to 192.168.0.4:1812 length 45 (0) User-Name = "anotherADuser" (0) User-Password = "password"
Plain PAP auth, not mschap.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:
Correctly running ntlm_auth with a password.
It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP - I've done something wrong to force that to NTLM_AUTH
You need to put the mschap entry back and configure the mschap module.
"mschap" authenticates MSCHAP.
"ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to pass a plain username and password (i.e. PAP auth) to Samba/AD.
You need both to work.
Note that you're very likely better to configure LDAP to handle the PAP auth. It will be much faster, and you can use LDAPS (ntlm_auth will probably send the password in the clear over the local network to AD).
Should I instead change
Auth-Type MS-CHAP { mschap }
to
Auth-Type MS-CHAP { mschap ntlm_auth }
No. You can't authenticate PAP with the mschap module, or MSCHAP with the ntlm_auth utility in password mode.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html