FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dalon
Staff
Staff
Description
This article provides an explanation and workaround for "MS-CHAP-Error(2): \000E=691 R=0 V=3" message, which can come in Access-Reject from Radius.

Sniffer    
2    0.001287    10.10.10.10    10.10.10.254    RADIUS    84
    Access-Reject(3) (id=5, l=42)
AVP: l=22  t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2): \000E=691 R=0 V=3

Solution
Windows server 2008 might refuse NTLM connections because NTLMv1 is disabled by default.

Enable NTLMv1 in the server as follows:

Start > Administrative Tools > Local Security Policy > Local Policies > Security Options > Network security: LAN Manager authentication level entry > Send NTLM response only.

tn_FD40275-1.jpg

Contributors