Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Wed Jun 4 05:35:40 UTC 2025 

The output was from the diag output of Freeradius but in response to
another client (NTRadPing)

I've now explored further and finding that radtest worked on port 18120 but
not on 1812 I compared the default and inner-tunnel configs and found the
missing mschap from the default one and its now working for both ports on
radtest and working with the Fortigate appliances Radius credential test
(and importantly failing when it should too).

I know there are faster processes than NTLM_AUTH but this site will be
queried on a busy day less than 12 times.

The bigger challenge now is going to be implementing 2 factor auth with
freeradius and the fortigate and this is going to be a bigger learning
curve for me.

I suspect via my daughter I am an undiagnosed ADHD sufferer and my learning
style is definately find the solution and work backward to understand the
issue - I've never been good at learning before implementing. I learn best
implementing as I learn and I apologize for my interactions up to now.

I have come to better understand the processes involved through your brutal
slapbacks and realise initially I had the process quite wrong in my head.

I hope not to be back in my 2FA frustrations but I suspect that will be
more at the Fortigate end than anything.

On Tue, Jun 3, 2025 at 10:38 PM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

>
> On Jun 2, 2025, at 9:23 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> >
> > Ok - I've removed freeradius and freeradius-config and reinstalled to
> get a
> > default config back. I've gone ahead and edited the files again from
> > scratch following instructions. Again a NTRadPint with the default entry
> > for NTLM in works - With that off it fails which I guess is to be
> expected
> > as I see NTRadPing doesn't specify and auth type and the only option is
> > CHAP not MSCHAP.
> >
> > With Radtest I get
>
>   You've been told that the client output isn't helpful.  Why are you
> still posting it?
>
> > In the debug I can see
> >
> > mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> > (0)     [mschap] = ok
>
>   There's a lot more debug output than that.
>
>   You've been told to read the documentation:
>
> https://wiki.freeradius.org/list-help
>
>   Which says exactly what to do.
>
>   Why are you not following the documentation?  Why are you asking for
> help, and then not following the guidance that you are given?
>
> > Which I was failing on previously due to a bad edit somewhere.
>
>   It was failing due to a bad *method*.  You changed things you didn't
> understand, without reading the documentation.  It wasn't an accidental
> edit.  It was a deliberate choice to do the wrong thing.
>
>   Like being told to read the documentation and follow instructions... and
> then not doing that.
>
> > I apologise for being back here again - I feel that I'm 99.9% there and
> I'm
> > just missing some small step.
>
>   You're making random changes without really understanding what the
> changes are, or why you're making them.
>
>   There is documentation.  We can help.  But not if you refuse to read the
> documentation and do what it says.
>
>   At this point, I can't answer any more questions until you read the wiki
> page I posted above, and follow the instructions.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list