Help with NTLM_AUTH and a Fortigate

Matthew Beechey mobiusnz at gmail.com
Thu May 29 22:38:54 UTC 2025 

Ah but Alan - I'd followed and online guide to get it working and didn't
want to actually have to learn anything :O - Sounds like I'm not far off so
I'll read some actual documentation rather than a hastily thrown together
guide. It was pretty painful as the guides all seem to be the same and are
badly out of date so folder names etc have changed.

Thanks for the nudge.

On Fri, May 30, 2025 at 1:09 AM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> > I've installed Freeradius 3.0 - That was a default with APT-GET - Let me
> > know if manually getting a newer version is essential.
>
>   It should be dine.
>
> > I'm using it in front of a Windows Server and a Fortigate Firewall.
> >
> > I have it talking to the server and joined to the domain. I can manually
> > use NTLM_AUTH and it authenticates Windows users like a dream.
>
>   That's good.
>
> > With DEFAULT     Auth-Type = ntlm_auth in files/authorize I can
> > authenticate users with NTRadPing although I cannot without the
> DEFAULT....
> > entry.
>
>   If only there was some kind of debug output you could read to see what's
> going on.
>
>  http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
>
> > I cannot authenticate users from the radius settings on the Fortigate -
> > They always fail. Looking at logging from Freeradius with -X i see this
> > entry
> >
> > mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> >
> > When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this
> > entry in the logging
> >
> > (0) Found Auth-Type = ntlm_auth
> >
> > So I'm picking something about the request from the Fortigate is setting
> it
> > to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
> >
> > What do I need to do here - disable MSCHAPv1 and if so how - Something
> else
> > to force MSCHAP to use NTLM_AUTH
>
>   Perhaps read mods-available/mschap  Look for "ntlm".
>
> > Essentially I want to use Windows users for Fortinet VPN and next step is
> > going to be adding 2 Factor authentication with Google, Authy or
> Microsoft
> > - Hoping I can do it as a rolling code so any app will work? Any pointers
> > here or advice would be good if you have some.
>
>   The documentation is pretty much in front of you already.  Just follow
> it, and it will work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list