Sorry Alan - Still can't work it out. I follow https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas... and when I run the radtest -t mschap user password localhost 0 Secret it fails. Sent Access-Request Id 244 from 0.0.0.0:44341 to 127.0.0.1:1812 length 132 User-Name = "adusername" MS-CHAP-Password = "userspassword" NAS-IP-Address = 192.168.0.4 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "userspassword" MS-CHAP-Challenge = 0x7df3afa84773538b MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0 Received Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length 38 Message-Authenticator = 0xce92d2aea5bb877a5b2fd71314caa01d (0) -: Expected Access-Accept got Access-Reject Looking in the debug session I get this (4) Received Access-Request Id 244 from 127.0.0.1:44341 to 127.0.0.1:1812 length 132 (4) Message-Authenticator = 0x8822fd20979e54ad9ab9c3861aa1e58f (4) User-Name = "adusername" (4) NAS-IP-Address = 192.168.0.4 (4) NAS-Port = 0 (4) MS-CHAP-Challenge = 0x7df3afa84773538b (4) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "adusername", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: No EAP-Message, not doing EAP (4) [eap] = noop (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> adusername (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length 38 Waking up in 3.9 seconds. (4) Cleaning up request packet ID 244 with timestamp +929 due to cleanup_delay was reached A successful query with NTRadPing from a windows PC with DEFAULT Auth-Type = ntlm_auth set in the authorize file it success with this in the debug (0) Received Access-Request Id 47 from 192.168.0.200:64897 to 192.168.0.4:1812 length 45 (0) User-Name = "anotherADuser" (0) User-Password = "password" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tammi", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 180 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=anotheraduser (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output ': (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = noop (0) Sent Access-Accept Id 47 from 192.168.0.4:1812 to 192.168.0.200:64897 length 38 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 47 with timestamp +5 due to cleanup_delay was reached It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP - I've done something wrong to force that to NTLM_AUTH The guides talk about putting ntlm_auth in default and inner-tunnel - I have the line ntlm_auth just on its own in the AUTHENTICATE section after Auth-type MSCHAP {} and digest. Should I instead change Auth-Type MS-CHAP { mschap } to Auth-Type MS-CHAP { mschap ntlm_auth } Or even remove the mchap from that section entirely? I'm sure I've followed everything but I've obviously missed something or perhaps made a typo. I've checked and checked again but sometimes the brain reads what it expects to read but I'm confident I don't have any typos. PS - I've only just realised you are the founder and still project lead - We are privileged you monitor the user list at all and thank you for your dedication to your project. I've only just dipped my heals here in the interest of providing a client a solution based only on time vs the many people using your product as a service who bill monthly per user. On Fri, May 30, 2025 at 1:09 AM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential.
It should be dine.
I'm using it in front of a Windows Server and a Fortigate Firewall.
I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream.
That's good.
With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry.
If only there was some kind of debug output you could read to see what's going on.
http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging
(0) Found Auth-Type = ntlm_auth
So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH
Perhaps read mods-available/mschap Look for "ntlm".
Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.
The documentation is pretty much in front of you already. Just follow it, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html