Help with NTLM_AUTH and a Fortigate
Matthew Newton
mcn at freeradius.org
Fri May 30 08:07:00 UTC 2025
On 30/05/2025 03:37, Matthew Beechey wrote:
> (4) [chap] = noop
> (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> (4) [mschap] = ok
> (4) [digest] = noop
...
> (4) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (4) [pap] = noop
> (4) } # authorize = ok
> (4) Found Auth-Type = mschap
> (4) Auth-Type sub-section not found. Ignoring.
You've removed 'mschap' from the authenticate section.
> A successful query with NTRadPing from a windows PC with DEFAULT
> Auth-Type = ntlm_auth set in the authorize file it success with this in the
> debug
>
> (0) Received Access-Request Id 47 from 192.168.0.200:64897 to
> 192.168.0.4:1812 length 45
> (0) User-Name = "anotherADuser"
> (0) User-Password = "password"
Plain PAP auth, not mschap.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:
Correctly running ntlm_auth with a password.
> It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP -
> I've done something wrong to force that to NTLM_AUTH
You need to put the mschap entry back and configure the mschap module.
"mschap" authenticates MSCHAP.
"ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to
pass a plain username and password (i.e. PAP auth) to Samba/AD.
You need both to work.
Note that you're very likely better to configure LDAP to handle the PAP
auth. It will be much faster, and you can use LDAPS (ntlm_auth will
probably send the password in the clear over the local network to AD).
> Should I instead change
>
> Auth-Type MS-CHAP {
> mschap
> }
>
> to
>
> Auth-Type MS-CHAP {
> mschap
> ntlm_auth
> }
No. You can't authenticate PAP with the mschap module, or MSCHAP with
the ntlm_auth utility in password mode.
--
Matthew
More information about the Freeradius-Users
mailing list