Skip to main content
dbhavsar
Staff
dbhavsar
Staff
October 3, 2024

Technical Tip: RADIUS authentication using MS-CHAPv2 fails when authenticating towards a Windows NPS server

  • October 3, 2024
  • 0 replies
  • 3653 views
Description This article describes how to mitigate authentication using MS-CHAPv2 fails for Windows NPS RADIUS servers.
Scope FortiGate.
Solution
  • Check the connectivity, and make sure FortiGate can telnet/ping the RADIUS server.
  • Try authenticating using the default authentication method. All the methods will work except the MS-CHAPv2.
  • To authenticate using the MS-CHAPv2, add the following registry key in the Windows NPS server's registry.
  1. Select Start -> Run, type regedit in the Open box, and then select OK.
  2. Locate and select the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
  3. On the Edit menu, point to New, and then select DWORD Value.
  4. Type Enable NTLMv2 Compatibility, and then press ENTER.
  5. On the Edit menu, select Modify.
  6. In the Value data box, type 1, and then select OK.
  7. Exit Registry Editor.

 

eeeeeeee.png

 

Windows article

VPN connections fail when using MS-CHAPv2.

 

  • Inside of the NPS Network Policies tab, ensure that the policy in use has MS-CHAPv2 enabled:


network-policy.png

 

  • The below screenshots show that authentication is successful:


mschapv2.png

 

Related article:

FortiGate is unable to contact the RADIUS server 
Terms & ConditionsAccessibility statement