Help with NTLM_AUTH and a Fortigate
Matthew Beechey
mobiusnz at gmail.com
Wed May 28 22:56:06 UTC 2025
I've installed Freeradius 3.0 - That was a default with APT-GET - Let me
know if manually getting a newer version is essential.
I'm using it in front of a Windows Server and a Fortigate Firewall.
I have it talking to the server and joined to the domain. I can manually
use NTLM_AUTH and it authenticates Windows users like a dream.
With DEFAULT Auth-Type = ntlm_auth in files/authorize I can
authenticate users with NTRadPing although I cannot without the DEFAULT....
entry.
I cannot authenticate users from the radius settings on the Fortigate -
They always fail. Looking at logging from Freeradius with -X i see this
entry
mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this
entry in the logging
(0) Found Auth-Type = ntlm_auth
So I'm picking something about the request from the Fortigate is setting it
to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
What do I need to do here - disable MSCHAPv1 and if so how - Something else
to force MSCHAP to use NTLM_AUTH
Essentially I want to use Windows users for Fortinet VPN and next step is
going to be adding 2 Factor authentication with Google, Authy or Microsoft
- Hoping I can do it as a rolling code so any app will work? Any pointers
here or advice would be good if you have some.
More information about the Freeradius-Users
mailing list