Help with NTLM_AUTH and a Fortigate
Alan DeKok
aland at deployingradius.com
Thu May 29 13:08:54 UTC 2025
On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> I've installed Freeradius 3.0 - That was a default with APT-GET - Let me
> know if manually getting a newer version is essential.
It should be dine.
> I'm using it in front of a Windows Server and a Fortigate Firewall.
>
> I have it talking to the server and joined to the domain. I can manually
> use NTLM_AUTH and it authenticates Windows users like a dream.
That's good.
> With DEFAULT Auth-Type = ntlm_auth in files/authorize I can
> authenticate users with NTRadPing although I cannot without the DEFAULT....
> entry.
If only there was some kind of debug output you could read to see what's going on.
http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
> I cannot authenticate users from the radius settings on the Fortigate -
> They always fail. Looking at logging from Freeradius with -X i see this
> entry
>
> mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
>
> When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this
> entry in the logging
>
> (0) Found Auth-Type = ntlm_auth
>
> So I'm picking something about the request from the Fortigate is setting it
> to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
>
> What do I need to do here - disable MSCHAPv1 and if so how - Something else
> to force MSCHAP to use NTLM_AUTH
Perhaps read mods-available/mschap Look for "ntlm".
> Essentially I want to use Windows users for Fortinet VPN and next step is
> going to be adding 2 Factor authentication with Google, Authy or Microsoft
> - Hoping I can do it as a rolling code so any app will work? Any pointers
> here or advice would be good if you have some.
The documentation is pretty much in front of you already. Just follow it, and it will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list