Help with NTLM_AUTH and a Fortigate
Matthew Beechey
mobiusnz at gmail.com
Fri May 30 02:37:44 UTC 2025
Sorry Alan - Still can't work it out. I follow
https://www.freeradius.org/documentation/freeradius-server/4.0.0/howto/datastores/ad/ntlm_mschap.html
and when I run the radtest -t mschap user password localhost 0 Secret it
fails.
Sent Access-Request Id 244 from 0.0.0.0:44341 to 127.0.0.1:1812 length 132
User-Name = "adusername"
MS-CHAP-Password = "userspassword"
NAS-IP-Address = 192.168.0.4
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "userspassword"
MS-CHAP-Challenge = 0x7df3afa84773538b
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0
Received Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length
38
Message-Authenticator = 0xce92d2aea5bb877a5b2fd71314caa01d
(0) -: Expected Access-Accept got Access-Reject
Looking in the debug session I get this
(4) Received Access-Request Id 244 from 127.0.0.1:44341 to 127.0.0.1:1812
length 132
(4) Message-Authenticator = 0x8822fd20979e54ad9ab9c3861aa1e58f
(4) User-Name = "adusername"
(4) NAS-IP-Address = 192.168.0.4
(4) NAS-Port = 0
(4) MS-CHAP-Challenge = 0x7df3afa84773538b
(4) MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000007e5bc7e85c580eee4508e19f2e2a6a8f668ee74d77650dc0
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(4) [mschap] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "adusername", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4) [pap] = noop
(4) } # authorize = ok
(4) Found Auth-Type = mschap
(4) Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject: --> adusername
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) [eap] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 244 from 127.0.0.1:1812 to 127.0.0.1:44341 length
38
Waking up in 3.9 seconds.
(4) Cleaning up request packet ID 244 with timestamp +929 due to
cleanup_delay was reached
A successful query with NTRadPing from a windows PC with DEFAULT
Auth-Type = ntlm_auth set in the authorize file it success with this in the
debug
(0) Received Access-Request Id 47 from 192.168.0.200:64897 to
192.168.0.4:1812 length 45
(0) User-Name = "anotherADuser"
(0) User-Password = "password"
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "tammi", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 180
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2
--request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth: --> --username=anotheraduser
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth: --> --password=password
(0) ntlm_auth: Program returned code (0) and output ': (0x0)'
(0) ntlm_auth: Program executed successfully
(0) [ntlm_auth] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(0) } # post-auth = noop
(0) Sent Access-Accept Id 47 from 192.168.0.4:1812 to 192.168.0.200:64897
length 38
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 47 with timestamp +5 due to cleanup_delay
was reached
It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP -
I've done something wrong to force that to NTLM_AUTH
The guides talk about putting ntlm_auth in default and inner-tunnel - I
have the line ntlm_auth just on its own in the AUTHENTICATE section after
Auth-type MSCHAP {} and digest.
Should I instead change
Auth-Type MS-CHAP {
mschap
}
to
Auth-Type MS-CHAP {
mschap
ntlm_auth
}
Or even remove the mchap from that section entirely?
I'm sure I've followed everything but I've obviously missed something or
perhaps made a typo. I've checked and checked again but sometimes the brain
reads what it expects to read but I'm confident I don't have any typos.
PS - I've only just realised you are the founder and still project lead -
We are privileged you monitor the user list at all and thank you for your
dedication to your project. I've only just dipped my heals here in the
interest of providing a client a solution based only on time vs the many
people using your product as a service who bill monthly per user.
On Fri, May 30, 2025 at 1:09 AM Alan DeKok via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:
> On May 28, 2025, at 6:56 PM, Matthew Beechey <mobiusnz at gmail.com> wrote:
> > I've installed Freeradius 3.0 - That was a default with APT-GET - Let me
> > know if manually getting a newer version is essential.
>
> It should be dine.
>
> > I'm using it in front of a Windows Server and a Fortigate Firewall.
> >
> > I have it talking to the server and joined to the domain. I can manually
> > use NTLM_AUTH and it authenticates Windows users like a dream.
>
> That's good.
>
> > With DEFAULT Auth-Type = ntlm_auth in files/authorize I can
> > authenticate users with NTRadPing although I cannot without the
> DEFAULT....
> > entry.
>
> If only there was some kind of debug output you could read to see what's
> going on.
>
> http://wiki.freeradius <http://wiki.freeradius/>.org/list-help
>
> > I cannot authenticate users from the radius settings on the Fortigate -
> > They always fail. Looking at logging from Freeradius with -X i see this
> > entry
> >
> > mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> >
> > When I do it with NTRadPing with the DEFAULT set to ntlm_auth I get this
> > entry in the logging
> >
> > (0) Found Auth-Type = ntlm_auth
> >
> > So I'm picking something about the request from the Fortigate is setting
> it
> > to MSCHAP (v1) and with NTRadPing its doing it with ntlm_auth
> >
> > What do I need to do here - disable MSCHAPv1 and if so how - Something
> else
> > to force MSCHAP to use NTLM_AUTH
>
> Perhaps read mods-available/mschap Look for "ntlm".
>
> > Essentially I want to use Windows users for Fortinet VPN and next step is
> > going to be adding 2 Factor authentication with Google, Authy or
> Microsoft
> > - Hoping I can do it as a rolling code so any app will work? Any pointers
> > here or advice would be good if you have some.
>
> The documentation is pretty much in front of you already. Just follow
> it, and it will work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list