I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential. I'm using it in front of a Windows Server and a Fortigate Firewall. I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream. With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry. I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging (0) Found Auth-Type = ntlm_auth So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.