Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Tue Jun 3 01:34:04 UTC 2025 

I just tried it from the Fortigate and I get the 691 but in the debug I got
this

(1) mschap:    -->
--nt-response=e3535a27f4f9c6022123dd094e46fc9e3fcc3b4444859367
(1) mschap: ERROR: Program returned code (1) and output 'Reading winbind
reply failed! (0xc0000001)'
(1) mschap: ERROR: Reading winbind reply failed! (0xc0000001)

I did notice that when I use NTLM_AUTH a successful response is simply

:     (0x0)

a failed response is

NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return
status indicates that the value provided as the current password is not
correct. (0xc000006a)

The initial guide I used before from networkradius.com which I suspect is
just yours with their logo and the odd edit it talks about (NT_STATUS_OK) -
Is this my problem that my version of NTLM_AUTH is not returning the
correct response?

On Fri, May 30, 2025 at 10:58 PM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On May 29, 2025, at 10:37 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> > Sorry Alan - Still can't work it out. I follow
> >
> https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datastores/ad/ntlm_mschap.html
>
>   While reading documentation is good, you'll note that's the 4.0
> documentation.  You're running 3.0.
>
>   Plus, I suggested that you read mods-available/mschap.  That file is on
> your local system, and contains detailed documentation on getting ntlm_auth
> running with the mschap module.
>
> > and when I run the radtest -t mschap user password localhost 0 Secret it
> > fails.
>
>   I also suggested that you read http://wiki.freeradius.org/list-help
>
>   That page SPECIFICALLY says that you shouldn't post the client output,
> because it's not needed.
>
> > (4) Found Auth-Type = mschap
> > (4) Auth-Type sub-section not found.  Ignoring.
>
>   As Matthew noted, you've edited the default configuration and broken it.
>
>   Why?
>
>   Don't do that.  Go back to the default configuration, and start over.
> Follow the documentation... the VERSION 3 documentation.
>
>   It will work.
>
>   The reason it doesn't work is that you're not following the
> documentation, and you're making massive changes to the configuration
> without really knowing what the effects are.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list