Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎11-11-2024 10:53 AM Edited on ‎10-02-2025 11:09 AM By Staff & Editor

Article Id 356880

Troubleshooting Tip: FortiAuthenticator v6.6 and RADIUS Authentication (MS-CHAPv2) issues

Description

 

This article describes how to determine if there are issues with RADIUS authentication, specifically MS-CHAPv2, due to running firmware version 6.6.x, and provides a few resolution methods.

 

Scope

 

FortiAuthenticator v6.6.0-6.6.2.

 

Solution

 

FortiAuthenticator 6.6.x introduced an issue with MS-CHAPv2 (ID 1026189), including firmware version 6.6.2, which itself contains a fix for the widely-reported Blast-RADIUS vulnerability.
In particular, this issue can cause MS-CHAPv2 authentication to fail, with this error:


Windows AD administrator authentication from x.x.x.x (mschap) with FortiToken failed: AD auth error: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

 

This may happen even if the password is correct.

This happens if all of the following conditions are met:

  •  FortiAuthenticator is running firmware version 6.6.0 to 6.6.2
  • The affected RADIUS policies have Windows AD authentication enabled and MS-CHAPv2 is in use
  • NTLMv1 is disabled on the domain controllers FortiAuthenticator uses to check user credentials

 

There are three possible solutions:

 

  1. Upgrade to firmware version 6.6.3 or later.

The issue is resolved in FortiAuthenticator firmware version 6.6.3.

 

  1. Enable NTLMv1 on the remote authentication server.

 

The issue only occurs if NTLMv1 is disabled on whatever domain controller FortiAuthenticator communicates with.
Enabling NTLMv1 should ensure that the error no longer occurs.
However, NTLMv1 is generally disabled as it is deemed insecure.

 

  1. Switch to PAP.

 

Switching away from MS-CHAPv2 also resolves the issue, as no Windows AD authentication (and thus no NTLM) is required.
However, with remote users, CHAP is not a possibility, leaving PAP as the remaining authentication method.

 

With PAP, the user's password is encrypted using a key derived from the Request Authenticator (transmitted in the packet) and the shared secret (not transmitted, configured in advance on the FortiGate and RADIUS server). An attacker with knowledge of the shared secret and access to the communication channel between FortiGate and the RADIUS server can recover the plaintext user password from a RADIUS Access-Request.

 

Regardless of the authentication method in use, it is a best practice to protect the communication channel used to transmit any credentials, either by using strong encryption or by physically controlling the channel. FortiOS v7.4 and above supports RADSEC, which can be used to encrypt communication with RADIUS servers using TLS over TCP port 2083. See the FortiGate v7.4.0 New Features Guide and the article Technical Tip: How to configure RADSEC between FortiAuthenticator and FortiGate.

4256
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.