Technical Tip: Overview of the authentication method for local user passwords with enhanced cryptography enabled

Description

This article describes the expected Authentication Method When Enabling Enhanced Cryptography for local user password usage.

Scope

FortiAuthenticator. 

Solution

In FortiAuthenticator, there is an option to enable 'Enhanced cryptography' for local users, which entails user passwords being hashed using bcrypt; local administrator passwords are always stored this way. If enhanced cryptography remains enabled continuously for 30 days, the option becomes irreversible and cannot be disabled thereafter.

However, if it is disabled before the 30-day period elapses, no changes will take effect, and the feature will remain disabled. Details regarding 'Enhanced cryptography' can be found here: FortiAuthenticator Administration Guide: General settings.

If the 'Enhanced cryptography' option is enabled, FortiAuthenticator only allows local user credentials to be checked via RADIUS when using PAP. 

This behavior is expected by design. When 'Enchanced cryptography' is enabled, CHAP/MS-CHAP authentication for locally defined users fails because these authentication protocols require access to either the cleartext password or an MD4-based password hash so that the received CHAP/MS-CHAP hash can be compared against the stored password. A password stored as a bcrypt hash cannot be used for CHAP or MS-CHAPv2 authentication.

If PAP is deemed unsuitable or insecure, then RADSEC can be configured as a secure alternative. 

If CHAP/MS-CHAP is used while the 'Enhanced cryptography' option is enabled, an 'invalid user parameter' error can be observed in the RADIUS debug logs, as shown below:

2026-01-14T14:55:09.803656+01:00 FAC radiusd[16893]: (0) facauth: Realm not specified, default goes to FAC local user
2026-01-14T14:55:09.805930+01:00 FAC radiusd[16893]: (0) facauth: Local user found: test_pass
2026-01-14T14:55:09.805945+01:00 FAC radiusd[16893]: (0) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2026-01-14T14:55:09.805962+01:00 FAC radiusd[16893]: (0) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2026-01-14T14:55:09.805973+01:00 FAC radiusd[16893]: (0) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2026-01-14T14:55:09.807024+01:00 FAC radiusd[16893]: (0) facauth: ERROR: ERROR: local user 'test_pass' auth require "User-Password" (pap)
2026-01-14T14:55:09.807345+01:00 FAC radiusd[16893]: (0) facauth: Authentication failed
2026-01-14T14:55:09.813482+01:00 FAC radiusd[16893]: (0) facauth: Updated auth log 'test_pass' for attempt from 10.6.0.1~0.0.0.0: Local user authentication from 0.0.0.0 (mschap) with no token failed: invalid user parameter

Related documents:

Local User Password Storage 

How to configure RADSEC between FortiAuthenticator and FortiGate