Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Tue Jun 3 01:23:23 UTC 2025 

Ok - I've removed freeradius and freeradius-config and reinstalled to get a
default config back. I've gone ahead and edited the files again from
scratch following instructions. Again a NTRadPint with the default entry
for NTLM in works - With that off it fails which I guess is to be expected
as I see NTRadPing doesn't specify and auth type and the only option is
CHAP not MSCHAP.

With Radtest I get

Received Access-Reject Id 190 from 127.0.0.1:1812 to 127.0.0.1:39439 length
79
        Message-Authenticator = 0x55886eec80ca8cf69c744513651e6094
        MS-CHAP-Error = "\000E=691 R=1 C=41d19098087818a0 V=2"
(0) -: Expected Access-Accept got Access-Reject

In the debug I can see

 mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok

Which I was failing on previously due to a bad edit somewhere.

The one change due to the v4.0 instructions other than replacing raddb with
freeradius/3.0 is that it talks about editing the /raddb/modules/mschap
file - There is no modules path in 3.0 so I edited
/etc/freeradius/3.0/mods-enabled/mschap
.
I apologise for being back here again - I feel that I'm 99.9% there and I'm
just missing some small step.

running ntlm_auth manually works well.

On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> > Sorry Alan - Still can't work it out. I follow
> >
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datastores/ad/ntlm_mschap.html
>
>   While reading documentation is good, you'll note that's the 4.0
> documentation.  You're running 3.0.
>
>   Plus, I suggested that you read mods-available/mschap.  That file is on
> your local system, and contains detailed documentation on getting ntlm_auth
> running with the mschap module.
>
> > and when I run the radtest -t mschap user password localhost 0 Secret it
> > fails.
>
>   I also suggested that you read http://wiki.freeradius.org/list-help
>
>   That page SPECIFICALLY says that you shouldn't post the client output,
> because it's not needed.
>
> > (4) Found Auth-Type = mschap
> > (4) Auth-Type sub-section not found.  Ignoring.
>
>   As Matthew noted, you've edited the default configuration and broken it.
>
>   Why?
>
>   Don't do that.  Go back to the default configuration, and start over.
> Follow the documentation... the VERSION 3 documentation.
>
>   It will work.
>
>   The reason it doesn't work is that you're not following the
> documentation, and you're making massive changes to the configuration
> without really knowing what the effects are.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list