Description
This article describes how to determine if there are issues with RADIUS authentication, specifically MS-CHAPv2, due to running firmware version 6.6.x, and provides a few methods for resolution.
Scope
FortiAuthenticator v6.6.0-6.6.2.
Solution
FortiAuthenticator 6.6.x introduced an issue with MS-CHAPv2 (ID 1026189), including firmware version 6.6.2, which itself contains a fix for the widely-reported Blast-RADIUS vulnerability.
In particular, this issue can cause MS-CHAPv2 authentication to fail, with this error:
Windows AD administrator authentication from x.x.x.x (mschap) with FortiToken failed: AD auth error: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
This may happen even if the password is correct.
This happens if all of the following conditions are met:
- FortiAuthenticator is running firmware version 6.6.0 to 6.6.2
- The affected RADIUS policies have Windows AD authentication enabled and MS-CHAPv2 is in use
- NTLMv1 is disabled on the domain controllers FortiAuthenticator uses to check user credentials
There are three possible solutions:
- Upgrade to firmware version 6.6.3 or special build.
The issue will be fixed in firmware version 6.6.3.
There is also a special build available upon request. A request can be submitted via a ticket with Technical Support.
- Enable NTLMv1.
The issue only occurs if NTLMv1 is disabled on whatever domain controller FortiAuthenticator communicates with.
Enabling NTLMv1 should ensure that the error no longer occurs.
However, NTLMv1 is generally disabled as it is deemed insecure.
- Switch to PAP.
Switching away from MS-CHAPv2 also resolves the issue, as no Windows AD authentication (and thus NTLM) is required.
However, with remote users, CHAP is not a possibility, leaving PAP.
This usually means a cleartext password is sent from the RADIUS client to FortiAuthenticator.
