Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Mon Jun 2 22:31:05 UTC 2025 

Thanks Alan - My head was saying the MS Server doesn't support MSCHAP so I
don't want it when in reality I now realise (hopefully correctly) the whole
purpose of the Radius server is to be the intermediary - Take the MSCHAP
request and forward it to the Microsoft server in a format it supports -
NTLMv2.

I have to say the way my brain works when solving problems is if I know how
it should work and what its instead doing i will work to fix the break.
Where my brain was broken with this is not understanding the expected
processes before forging on with a guide. I guess I need to slow down a
little ;)

Is there a quick way to reset the config back to defaults - APT-GET purge
?? Seems like this will take it off and clean off the config files etc.
I'll give that a crack and have another go knowing what I learned in the
process that was successful and where my thinking was completely ass before
the cart.

Matt

On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> > Sorry Alan - Still can't work it out. I follow
> >
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datastores/ad/ntlm_mschap.html
>
>   While reading documentation is good, you'll note that's the 4.0
> documentation.  You're running 3.0.
>
>   Plus, I suggested that you read mods-available/mschap.  That file is on
> your local system, and contains detailed documentation on getting ntlm_auth
> running with the mschap module.
>
> > and when I run the radtest -t mschap user password localhost 0 Secret it
> > fails.
>
>   I also suggested that you read http://wiki.freeradius.org/list-help
>
>   That page SPECIFICALLY says that you shouldn't post the client output,
> because it's not needed.
>
> > (4) Found Auth-Type = mschap
> > (4) Auth-Type sub-section not found.  Ignoring.
>
>   As Matthew noted, you've edited the default configuration and broken it.
>
>   Why?
>
>   Don't do that.  Go back to the default configuration, and start over.
> Follow the documentation... the VERSION 3 documentation.
>
>   It will work.
>
>   The reason it doesn't work is that you're not following the
> documentation, and you're making massive changes to the configuration
> without really knowing what the effects are.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list