Help with NTLM_AUTH and a Fortigate

Matthew Newton mcn at freeradius.org
Fri May 30 08:07:00 UTC 2025 


On 30/05/2025 03:37, Matthew Beechey wrote:
> (4)     [chap] = noop
> (4) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (4)     [mschap] = ok
> (4)     [digest] = noop

...

> (4)     [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (4)     [pap] = noop
> (4)   } # authorize = ok
> (4) Found Auth-Type = mschap
> (4) Auth-Type sub-section not found.  Ignoring.


You've removed 'mschap' from the authenticate section.

> A successful query with NTRadPing from a windows PC with DEFAULT
> Auth-Type = ntlm_auth set in the authorize file it success with this in the
> debug
> 
> (0) Received Access-Request Id 47 from 192.168.0.200:64897 to
> 192.168.0.4:1812 length 45
> (0)   User-Name = "anotherADuser"
> (0)   User-Password = "password"

Plain PAP auth, not mschap.

> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}:


Correctly running ntlm_auth with a password.


> It specifically has Found Auth-Type = ntlm_auth so my issue is the MSCHAP -
> I've done something wrong to force that to NTLM_AUTH

You need to put the mschap entry back and configure the mschap module.

"mschap" authenticates MSCHAP.

"ntlm_auth" runs the "exec" module (see mods-available/ntlm_auth) to 
pass a plain username and password (i.e. PAP auth) to Samba/AD.

You need both to work.

Note that you're very likely better to configure LDAP to handle the PAP 
auth. It will be much faster, and you can use LDAPS (ntlm_auth will 
probably send the password in the clear over the local network to AD).


> Should I instead change
> 
> Auth-Type MS-CHAP {
>                    mschap
> }
> 
> to
> 
> Auth-Type MS-CHAP {
>                    mschap
>                    ntlm_auth
> }

No. You can't authenticate PAP with the mschap module, or MSCHAP with 
the ntlm_auth utility in password mode.

-- 
Matthew

More information about the Freeradius-Users mailing list