Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Wed Jun 4 22:50:52 UTC 2025 

Thanks Matthew - You are dead right - mschap was missing from the default
config file but was there for inner-tunnel - Once I found I could test
inner-tunnel with a different port and found that did work I found the
difference looking at the configs. Shame I didn't see your reply first as
would have saved me some time. Not too worried about speed as it'll only be
handling a few requests a day as its just for VPN authentication which is
only used by a handful of users intermittently.

Next is the harder process of adding OTP in for 2FA. A quick read indicates
there is a standard for a radius response that the Fortiate supports as in
my head I assumed I would have to have them put the auth code in the
password or username with a character seperator and have freeradius split
it. Reading time to make sure I start off with the right process and
toolset. I'd like to support standard OTP so users can use Google Auth,
Microsoft Auth or Authy on their devices but we'll see. I still have to
work out how the initial OTP "codes" are generated against users on the AD
server etc. Read, read, read.

On Fri, May 30, 2025 at 8:07 PM Matthew Newton via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

>
>
> On 30/05/2025 03:37, Matthew Beechey wrote:
> > (4)     [chap] = noop
> > (4) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> > (4)     [mschap] = ok
> > (4)     [digest] = noop
>
> ...
>
> > (4)     [logintime] = noop
> > Not doing PAP as Auth-Type is already set.
> > (4)     [pap] = noop
> > (4)   } # authorize = ok
> > (4) Found Auth-Type = mschap
> > (4) Auth-Type sub-section not found.  Ignoring.
>
>
> You've removed 'mschap' from the authenticate section.
>
> > A successful query with NTRadPing from a windows PC with DEFAULT
> > Auth-Type = ntlm_auth set in the authorize file it success with this in
> the
> > debug
> >
> > (0) Received Access-Request Id 47 from 192.168.0.200:64897 to
> > 192.168.0.4:1812 length 45
> > (0)   User-Name = "anotherADuser"
> > (0)   User-Password = "password"
>
> Plain PAP auth, not mschap.
>
> > (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> > (0)   authenticate {
> > (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> > --request-nt-key --username=%{mschap:User-Name}
> --password=%{User-Password}:
>
>
> Correctly running ntlm_auth with a password.
>
>
> > It specifically has Found Auth-Type = ntlm_auth so my issue is the
> MSCHAP -
> > I've done something wrong to force that to NTLM_AUTH
>
> You need to put the mschap entry back and configure the mschap module.
>
> "mschap" authenticates MSCHAP.
>
> "ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to
> pass a plain username and password (i.e. PAP auth) to Samba/AD.
>
> You need both to work.
>
> Note that you're very likely better to configure LDAP to handle the PAP
> auth. It will be much faster, and you can use LDAPS (ntlm_auth will
> probably send the password in the clear over the local network to AD).
>
>
> > Should I instead change
> >
> > Auth-Type MS-CHAP {
> >                    mschap
> > }
> >
> > to
> >
> > Auth-Type MS-CHAP {
> >                    mschap
> >                    ntlm_auth
> > }
>
> No. You can't authenticate PAP with the mschap module, or MSCHAP with
> the ntlm_auth utility in password mode.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list