Help with NTLM_AUTH and a Fortigate
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential. I'm using it in front of a Windows Server and a Fortigate Firewall. I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream. With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry. I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging (0) Found Auth-Type = ntlm_auth So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.
On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential.
It should be dine.
I'm using it in front of a Windows Server and a Fortigate Firewall.
I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream.
That's good.
With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry.
If only there was some kind of debug output you could read to see what's going on. http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging
(0) Found Auth-Type = ntlm_auth
So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH
Perhaps read mods-available/mschap Look for "ntlm".
Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.
The documentation is pretty much in front of you already. Just follow it, and it will work. Alan DeKok.
Ah but Alan - I'd followed and online guide to get it working and didn't want to actually have to learn anything :O - Sounds like I'm not far off so I'll read some actual documentation rather than a hastily thrown together guide. It was pretty painful as the guides all seem to be the same and are badly out of date so folder names etc have changed. Thanks for the nudge. On Fri, May 30, 2025 at 1:09 AM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential.
It should be dine.
I'm using it in front of a Windows Server and a Fortigate Firewall.
I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream.
That's good.
With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry.
If only there was some kind of debug output you could read to see what's going on.
http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging
(0) Found Auth-Type = ntlm_auth
So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH
Perhaps read mods-available/mschap Look for "ntlm".
Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.
The documentation is pretty much in front of you already. Just follow it, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry Alan - Still can't work it out. I follow https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas... and when I run the radtest -t mschap user password localhost 0 Secret it fails. Sent Access-Request Id 244 from 0.0.0.0:44341 to 127.0.0.1:1812 length 132 User-Name = "adusername" MS-CHAP-Password = "userspassword" NAS-IP-Address = 192.168.0.4 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "userspassword" MS-CHAP-Challenge = 0x7df3afa84773538b MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0 Received Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length 38 Message-Authenticator = 0xce92d2aea5bb877a5b2fd71314caa01d (0) -: Expected Access-Accept got Access-Reject Looking in the debug session I get this (4) Received Access-Request Id 244 from 127.0.0.1:44341 to 127.0.0.1:1812 length 132 (4) Message-Authenticator = 0x8822fd20979e54ad9ab9c3861aa1e58f (4) User-Name = "adusername" (4) NAS-IP-Address = 192.168.0.4 (4) NAS-Port = 0 (4) MS-CHAP-Challenge = 0x7df3afa84773538b (4) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "adusername", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: No EAP-Message, not doing EAP (4) [eap] = noop (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> adusername (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length 38 Waking up in 3.9 seconds. (4) Cleaning up request packet ID 244 with timestamp +929 due to cleanup_delay was reached A successful query with NTRadPing from a windows PC with DEFAULT Auth-Type = ntlm_auth set in the authorize file it success with this in the debug (0) Received Access-Request Id 47 from 192.168.0.200:64897 to 192.168.0.4:1812 length 45 (0) User-Name = "anotherADuser" (0) User-Password = "password" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tammi", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 180 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=anotheraduser (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output ': (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = noop (0) Sent Access-Accept Id 47 from 192.168.0.4:1812 to 192.168.0.200:64897 length 38 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 47 with timestamp +5 due to cleanup_delay was reached It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP - I've done something wrong to force that to NTLM_AUTH The guides talk about putting ntlm_auth in default and inner-tunnel - I have the line ntlm_auth just on its own in the AUTHENTICATE section after Auth-type MSCHAP {} and digest. Should I instead change Auth-Type MS-CHAP { mschap } to Auth-Type MS-CHAP { mschap ntlm_auth } Or even remove the mchap from that section entirely? I'm sure I've followed everything but I've obviously missed something or perhaps made a typo. I've checked and checked again but sometimes the brain reads what it expects to read but I'm confident I don't have any typos. PS - I've only just realised you are the founder and still project lead - We are privileged you monitor the user list at all and thank you for your dedication to your project. I've only just dipped my heals here in the interest of providing a client a solution based only on time vs the many people using your product as a service who bill monthly per user. On Fri, May 30, 2025 at 1:09 AM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me know if manually getting a newer version is essential.
It should be dine.
I'm using it in front of a Windows Server and a Fortigate Firewall.
I have it talking to the server and joined to the domain. I can manually use NTLM_AUTH and it authenticates Windows users like a dream.
That's good.
With DEFAULT Auth-Type = ntlm_auth in files/authorize I can authenticate users with NTRadPing although I cannot without the DEFAULT.... entry.
If only there was some kind of debug output you could read to see what's going on.
http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
I cannot authenticate users from the radius settings on the Fortigate - They always fail. Looking at logging from Freeradius with -X i see this entry
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this entry in the logging
(0) Found Auth-Type = ntlm_auth
So I'm picking something about the request from the Fortigate is setting it to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
What do I need to do here - disable MSCHAPv1 and if so how - Something else to force MSCHAP to use NTLM_AUTH
Perhaps read mods-available/mschap Look for "ntlm".
Essentially I want to use Windows users for Fortinet VPN and next step is going to be adding 2 Factor authentication with Google, Authy or Microsoft - Hoping I can do it as a rolling code so any app will work? Any pointers here or advice would be good if you have some.
The documentation is pretty much in front of you already. Just follow it, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 30/05/2025 03:37, Matthew Beechey wrote:
(4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop
...
(4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
You've removed 'mschap' from the authenticate section.
A successful query with NTRadPing from a windows PC with DEFAULT Auth-Type = ntlm_auth set in the authorize file it success with this in the debug
(0) Received Access-Request Id 47 from 192.168.0.200:64897 to 192.168.0.4:1812 length 45 (0) User-Name = "anotherADuser" (0) User-Password = "password"
Plain PAP auth, not mschap.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:
Correctly running ntlm_auth with a password.
It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP - I've done something wrong to force that to NTLM_AUTH
You need to put the mschap entry back and configure the mschap module. "mschap" authenticates MSCHAP. "ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to pass a plain username and password (i.e. PAP auth) to Samba/AD. You need both to work. Note that you're very likely better to configure LDAP to handle the PAP auth. It will be much faster, and you can use LDAPS (ntlm_auth will probably send the password in the clear over the local network to AD).
Should I instead change
Auth-Type MS-CHAP { mschap }
to
Auth-Type MS-CHAP { mschap ntlm_auth }
No. You can't authenticate PAP with the mschap module, or MSCHAP with the ntlm_auth utility in password mode. -- Matthew
Thanks Matthew - You are dead right - mschap was missing from the default config file but was there for inner-tunnel - Once I found I could test inner-tunnel with a different port and found that did work I found the difference looking at the configs. Shame I didn't see your reply first as would have saved me some time. Not too worried about speed as it'll only be handling a few requests a day as its just for VPN authentication which is only used by a handful of users intermittently. Next is the harder process of adding OTP in for 2FA. A quick read indicates there is a standard for a radius response that the Fortiate supports as in my head I assumed I would have to have them put the auth code in the password or username with a character seperator and have freeradius split it. Reading time to make sure I start off with the right process and toolset. I'd like to support standard OTP so users can use Google Auth, Microsoft Auth or Authy on their devices but we'll see. I still have to work out how the initial OTP "codes" are generated against users on the AD server etc. Read, read, read. On Fri, May 30, 2025 at 8:07 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 30/05/2025 03:37, Matthew Beechey wrote:
(4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop
...
(4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
You've removed 'mschap' from the authenticate section.
A successful query with NTRadPing from a windows PC with DEFAULT Auth-Type = ntlm_auth set in the authorize file it success with this in the debug
(0) Received Access-Request Id 47 from 192.168.0.200:64897 to 192.168.0.4:1812 length 45 (0) User-Name = "anotherADuser" (0) User-Password = "password"
Plain PAP auth, not mschap.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:
Correctly running ntlm_auth with a password.
It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP - I've done something wrong to force that to NTLM_AUTH
You need to put the mschap entry back and configure the mschap module.
"mschap" authenticates MSCHAP.
"ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to pass a plain username and password (i.e. PAP auth) to Samba/AD.
You need both to work.
Note that you're very likely better to configure LDAP to handle the PAP auth. It will be much faster, and you can use LDAPS (ntlm_auth will probably send the password in the clear over the local network to AD).
Should I instead change
Auth-Type MS-CHAP { mschap }
to
Auth-Type MS-CHAP { mschap ntlm_auth }
No. You can't authenticate PAP with the mschap module, or MSCHAP with the ntlm_auth utility in password mode.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Sorry Alan - Still can't work it out. I follow https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas...
While reading documentation is good, you'll note that's the 4.0 documentation. You're running 3.0. Plus, I suggested that you read mods-available/mschap. That file is on your local system, and contains detailed documentation on getting ntlm_auth running with the mschap module.
and when I run the radtest -t mschap user password localhost 0 Secret it fails.
I also suggested that you read http://wiki.freeradius.org/list-help That page SPECIFICALLY says that you shouldn't post the client output, because it's not needed.
(4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
As Matthew noted, you've edited the default configuration and broken it. Why? Don't do that. Go back to the default configuration, and start over. Follow the documentation... the VERSION 3 documentation. It will work. The reason it doesn't work is that you're not following the documentation, and you're making massive changes to the configuration without really knowing what the effects are. Alan DeKok.
Thanks Alan - My head was saying the MS Server doesn't support MSCHAP so I don't want it when in reality I now realise (hopefully correctly) the whole purpose of the Radius server is to be the intermediary - Take the MSCHAP request and forward it to the Microsoft server in a format it supports - NTLMv2. I have to say the way my brain works when solving problems is if I know how it should work and what its instead doing i will work to fix the break. Where my brain was broken with this is not understanding the expected processes before forging on with a guide. I guess I need to slow down a little ;) Is there a quick way to reset the config back to defaults - APT-GET purge ?? Seems like this will take it off and clean off the config files etc. I'll give that a crack and have another go knowing what I learned in the process that was successful and where my thinking was completely ass before the cart. Matt On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Sorry Alan - Still can't work it out. I follow
https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas...
While reading documentation is good, you'll note that's the 4.0 documentation. You're running 3.0.
Plus, I suggested that you read mods-available/mschap. That file is on your local system, and contains detailed documentation on getting ntlm_auth running with the mschap module.
and when I run the radtest -t mschap user password localhost 0 Secret it fails.
I also suggested that you read http://wiki.freeradius.org/list-help
That page SPECIFICALLY says that you shouldn't post the client output, because it's not needed.
(4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
As Matthew noted, you've edited the default configuration and broken it.
Why?
Don't do that. Go back to the default configuration, and start over. Follow the documentation... the VERSION 3 documentation.
It will work.
The reason it doesn't work is that you're not following the documentation, and you're making massive changes to the configuration without really knowing what the effects are.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok - I've removed freeradius and freeradius-config and reinstalled to get a default config back. I've gone ahead and edited the files again from scratch following instructions. Again a NTRadPint with the default entry for NTLM in works - With that off it fails which I guess is to be expected as I see NTRadPing doesn't specify and auth type and the only option is CHAP not MSCHAP. With Radtest I get Received Access-Reject Id 190 from 127.0.0.1:1812 to 127.0.0.1:39439 length 79 Message-Authenticator = 0x55886eec80ca8cf69c744513651e6094 MS-CHAP-Error = "\000E=691 R=1 C=41d19098087818a0 V=2" (0) -: Expected Access-Accept got Access-Reject In the debug I can see mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok Which I was failing on previously due to a bad edit somewhere. The one change due to the v4.0 instructions other than replacing raddb with freeradius/3.0 is that it talks about editing the /raddb/modules/mschap file - There is no modules path in 3.0 so I edited /etc/freeradius/3.0/mods-enabled/mschap . I apologise for being back here again - I feel that I'm 99.9% there and I'm just missing some small step. running ntlm_auth manually works well. On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Sorry Alan - Still can't work it out. I follow
https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas...
While reading documentation is good, you'll note that's the 4.0 documentation. You're running 3.0.
Plus, I suggested that you read mods-available/mschap. That file is on your local system, and contains detailed documentation on getting ntlm_auth running with the mschap module.
and when I run the radtest -t mschap user password localhost 0 Secret it fails.
I also suggested that you read http://wiki.freeradius.org/list-help
That page SPECIFICALLY says that you shouldn't post the client output, because it's not needed.
(4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
As Matthew noted, you've edited the default configuration and broken it.
Why?
Don't do that. Go back to the default configuration, and start over. Follow the documentation... the VERSION 3 documentation.
It will work.
The reason it doesn't work is that you're not following the documentation, and you're making massive changes to the configuration without really knowing what the effects are.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 2, 2025, at 9:23 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Ok - I've removed freeradius and freeradius-config and reinstalled to get a default config back. I've gone ahead and edited the files again from scratch following instructions. Again a NTRadPint with the default entry for NTLM in works - With that off it fails which I guess is to be expected as I see NTRadPing doesn't specify and auth type and the only option is CHAP not MSCHAP.
With Radtest I get
You've been told that the client output isn't helpful. Why are you still posting it?
In the debug I can see
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok
There's a lot more debug output than that. You've been told to read the documentation: https://wiki.freeradius.org/list-help Which says exactly what to do. Why are you not following the documentation? Why are you asking for help, and then not following the guidance that you are given?
Which I was failing on previously due to a bad edit somewhere.
It was failing due to a bad *method*. You changed things you didn't understand, without reading the documentation. It wasn't an accidental edit. It was a deliberate choice to do the wrong thing. Like being told to read the documentation and follow instructions... and then not doing that.
I apologise for being back here again - I feel that I'm 99.9% there and I'm just missing some small step.
You're making random changes without really understanding what the changes are, or why you're making them. There is documentation. We can help. But not if you refuse to read the documentation and do what it says. At this point, I can't answer any more questions until you read the wiki page I posted above, and follow the instructions. Alan DeKok.
The output was from the diag output of Freeradius but in response to another client (NTRadPing) I've now explored further and finding that radtest worked on port 18120 but not on 1812 I compared the default and inner-tunnel configs and found the missing mschap from the default one and its now working for both ports on radtest and working with the Fortigate appliances Radius credential test (and importantly failing when it should too). I know there are faster processes than NTLM_AUTH but this site will be queried on a busy day less than 12 times. The bigger challenge now is going to be implementing 2 factor auth with freeradius and the fortigate and this is going to be a bigger learning curve for me. I suspect via my daughter I am an undiagnosed ADHD sufferer and my learning style is definately find the solution and work backward to understand the issue - I've never been good at learning before implementing. I learn best implementing as I learn and I apologize for my interactions up to now. I have come to better understand the processes involved through your brutal slapbacks and realise initially I had the process quite wrong in my head. I hope not to be back in my 2FA frustrations but I suspect that will be more at the Fortigate end than anything. On Tue, Jun 3, 2025 at 10:38 PM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On Jun 2, 2025, at 9:23 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Ok - I've removed freeradius and freeradius-config and reinstalled to
get a
default config back. I've gone ahead and edited the files again from scratch following instructions. Again a NTRadPint with the default entry for NTLM in works - With that off it fails which I guess is to be expected as I see NTRadPing doesn't specify and auth type and the only option is CHAP not MSCHAP.
With Radtest I get
You've been told that the client output isn't helpful. Why are you still posting it?
In the debug I can see
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok
There's a lot more debug output than that.
You've been told to read the documentation:
https://wiki.freeradius.org/list-help
Which says exactly what to do.
Why are you not following the documentation? Why are you asking for help, and then not following the guidance that you are given?
Which I was failing on previously due to a bad edit somewhere.
It was failing due to a bad *method*. You changed things you didn't understand, without reading the documentation. It wasn't an accidental edit. It was a deliberate choice to do the wrong thing.
Like being told to read the documentation and follow instructions... and then not doing that.
I apologise for being back here again - I feel that I'm 99.9% there and I'm just missing some small step.
You're making random changes without really understanding what the changes are, or why you're making them.
There is documentation. We can help. But not if you refuse to read the documentation and do what it says.
At this point, I can't answer any more questions until you read the wiki page I posted above, and follow the instructions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I just tried it from the Fortigate and I get the 691 but in the debug I got this (1) mschap: --> --nt-response=e3535a27f4f9c6022123dd094e46fc9e3fcc3b4444859367 (1) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' (1) mschap: ERROR: Reading winbind reply failed! (0xc0000001) I did notice that when I use NTLM_AUTH a successful response is simply : (0x0) a failed response is NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a) The initial guide I used before from networkradius.com which I suspect is just yours with their logo and the odd edit it talks about (NT_STATUS_OK) - Is this my problem that my version of NTLM_AUTH is not returning the correct response? On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz@gmail.com> wrote:
Sorry Alan - Still can't work it out. I follow
https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datas...
While reading documentation is good, you'll note that's the 4.0 documentation. You're running 3.0.
Plus, I suggested that you read mods-available/mschap. That file is on your local system, and contains detailed documentation on getting ntlm_auth running with the mschap module.
and when I run the radtest -t mschap user password localhost 0 Secret it fails.
I also suggested that you read http://wiki.freeradius.org/list-help
That page SPECIFICALLY says that you shouldn't post the client output, because it's not needed.
(4) Found Auth-Type = mschap (4) Auth-Type sub-section not found. Ignoring.
As Matthew noted, you've edited the default configuration and broken it.
Why?
Don't do that. Go back to the default configuration, and start over. Follow the documentation... the VERSION 3 documentation.
It will work.
The reason it doesn't work is that you're not following the documentation, and you're making massive changes to the configuration without really knowing what the effects are.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Beechey -
Matthew Newton