Troubleshooting Tip: MS-CHAP-v2, MS-CHAP authentication problems
| Description | This article describes how to troubleshoot authentication with MS-CHAP-v2. |
| Scope | FortiGate - this article provides a comprehensive guide to troubleshooting authentication issues related to MS-CHAP-v2 (Microsoft Challenge Handshake Authentication Protocol version 2). |
| Solution | This article describes how to fix the connection between the FortiGate and the RADIUS Server using MS-CHAP-v2. This consists of:
Go to Modify -> Registry Editor -> Computer\HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\Policy - > Enable NTLMv2Compatibility -> Change the REG_DWORD to 0x00000001(1).
RADIUS servers have the default policy enabled to limit NTLM authentication. This can be a common problem when troubleshooting MS-CHAP-v2. Many RADIUS servers enforce policies that limit or restrict NTLM authentication, especially when Kerberos is preferred for security reasons. This has fixed the MSCHAP-v2 issue.
The RADIUS Server shows the configuration on the FortiGate has MS-CHAP-v2 enabled.
FortiGate now shows the authentication pass.
There may be other authentication issues, like when using MS-CHAPv2 fails for Windows NPS RADIUS servers. Refer to Technical Tip: RADIUS authentication using MS-CHAPv2 fails when authenticating towards a Windows NPS server for more information on how to resolve this issue. |
