Technical Tip: FortiNAC Dot1x EAP-PEAP-MSCHAPv2 Authentication fail with error 'Credentials Invalid (MSCHAP2)'

Hawada1 · ‎12-17-2025

Description

This article describes how to address the dot1x EAP-PEAP-MSCHAPv2 Authentication failure with error 'Credentials Invalid (MSCHAP2)'.

Scope

FortiNAC, Windows 11 22H2.

Solution

In Windows 11 22H2 and above, Considerations and known issues when using Credential Guard feature were introduced, leading to EAP-PEAP-MSCHAPv2 authentication to fail with the following error returned by Active Directory to FortiNAC in the RADIUS logs:

(11564) mschap-WININD: Creating challenge hash with username: hawada1
(11564) mschap-WININD: Client is using MS-CHAPv2
(11564) mschap-WININD: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap-WININD:User-Name} --domain= --challenge=%{%{mschap-WININD:Challenge}:-00} --nt-response=%{%{mschap-WININD:NT-Response}:-00}:
(11564) mschap-WININD: EXPAND --username=%{mschap-WININD:User-Name}
(11564) mschap-WININD: --> --username=hawada1
(11564) mschap-WININD: Creating challenge hash with username: hawada1
(11564) mschap-WININD: EXPAND --challenge=%{%{mschap-WININD:Challenge}:-00}
(11564) mschap-WININD: --> --challenge=1537579dbb93c147
(11564) mschap-WININD: EXPAND --nt-response=%{%{mschap-WININD:NT-Response}:-00}
(11564) mschap-WININD: --> --nt-response=45777148c1afb00271d905beeb31765729f88fe0df16bb80
(11564) mschap-WININD: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(11564) mschap-WININD: External script failed
(11564) mschap-WININD: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(11564) mschap-WININD: ERROR: MS-CHAP2-Response is incorrect

rlm_rest (rest_reject): Connecting to "http://127.0.0.1:8081/api/v2/radius"
(11564) [rest_reject] = updated
(11564) update outer.session-state {
(11564) &Module-Failure-Message !* ANY
(11564) &Module-Failure-Message := &reply:Module-Failure-Message ->'Credentials Invalid (MSCHAP2)'

To overcome this behavior, Disable Credential Guard on the Windows 11 machine or switch to EAP-TLS.

Add/modify the below registries:

Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0

Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Key name: RequirePlatformSecurityFeatures
Type: REG_DWORD
Value: 0

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0

Alternatively:

Administratively open Windows Command Prompt:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.

Note: Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0.

Technical Tip: FortiNAC Dot1x EAP-PEAP-MSCHAPv2 Authentication fail with error 'Credentials Invalid (MSCHAP2)'

You are leaving our website