Description

This article describes how to determine if there are issues with RADIUS authentication, specifically MS-CHAPv2, due to running firmware version 6.6.x, and provides a few resolution methods.

Scope

FortiAuthenticator v6.6.0-6.6.2.

Solution

FortiAuthenticator 6.6.x introduced an issue with MS-CHAPv2 (ID 1026189), including firmware version 6.6.2, which itself contains a fix for the widely-reported Blast-RADIUS vulnerability.
In particular, this issue can cause MS-CHAPv2 authentication to fail, with this error:

Windows AD administrator authentication from x.x.x.x (mschap) with FortiToken failed: AD auth error: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

This may happen even if the password is correct.

This happens if all of the following conditions are met:

•  FortiAuthenticator is running firmware version 6.6.0 to 6.6.2
• The affected RADIUS policies have Windows AD authentication enabled and MS-CHAPv2 is in use
• NTLMv1 is disabled on the domain controllers FortiAuthenticator uses to check user credentials

There are three possible solutions:

1. Upgrade to firmware version 6.6.3 or special build.

The issue will be fixed in firmware version 6.6.3.
There is also a special build available upon request. A request can be submitted via a ticket with Technical Support.

2. Enable NTLMv1.

The issue only occurs if NTLMv1 is disabled on whatever domain controller FortiAuthenticator communicates with.
Enabling NTLMv1 should ensure that the error no longer occurs.
However, NTLMv1 is generally disabled as it is deemed insecure.

3. Switch to PAP.

Switching away from MS-CHAPv2 also resolves the issue, as no Windows AD authentication (and thus NTLM) is required.
However, with remote users, CHAP is not a possibility, leaving PAP.
This means the password is encrypted using the Preshared-key (PSK) and sent from the RADIUS client to FortiAuthenticator. Knowing the PSK will enable reading the user password as clear text in a packet capture..