Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Fortigate is using PAP even when MSCHAPv2 selected
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate is using PAP even when MSCHAPv2 selected
I'm adding a second wifi SSID to our current setup. We are using Fortigate V7.4.8 with NPS for authentication. The first wifi SSID, which works fine, is setup to allow a domain user to connect. I'm setting up the second as an IT wifi hotspot to allow select IT personal to join a specific VLAN for IT tasks. Everything is setup and works great except for authentication. Here is my setup for radius:
config user radius
edit "DC_RADIUS"
set server "X.X.X.X"
set secret ENC XXX
set nas-ip "X.X.X.X"
set source-ip "X.X.X.Y"
set secondary-server "X.X.X.Z"
set secondary-secret ENC XXX
next
edit "XXX_IT_RADIUS"
set server "X.X.X.X"
set secret ENC XXX
set nas-ip X.X.X.X
set auth-type ms_chap_v2
set source-ip "X.X.X.Y"
set secondary-server "X.X.X.Z"
set secondary-secret ENC XXX
next
end
DC_RADIUS is our radius setup for domain users and XXX_IT_RADIUS is the radius setup for our IT wifi. The issue is that even though I'm specifying the auth-type for XXX_IT_RADIUS, Fortigate only tries to authenticate with PAP. Here is the debug from FORTIGATE:
2025-11-04 08:53:11 [810] __rad_auth_ctx_insert-Loaded RADIUS server 'XXX_IT_RADIUS'
2025-11-04 08:53:11 [923] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2025-11-04 08:53:11 [1030] fnbamd_cfg_radius_clear_reachability-Clearing RAD server reachability XXX_IT_RADIUS:X.X.X.X
2025-11-04 08:53:11 [301] fnbamd_radius_get_next_auth_prot-Next auth prot PAP
2025-11-04 08:53:11 [1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
2025-11-04 08:53:11 [1156] __rad_chk_resp_authenticator-ret=0
2025-11-04 08:53:11 [1231] fnbamd_rad_validate_pkt-RADIUS resp code 3
2025-11-04 08:53:11 [1031] __rad_error-Ret 1, st = 1.
2025-11-04 08:53:11 [301] fnbamd_radius_get_next_auth_prot-Next auth prot ??
2025-11-04 08:53:11 [1080] __rad_error-
2025-11-04 08:53:11 [307] __rad_udp_close-closed.
I've removed a lot of lines for brevities sake but can add them back if needed. The 301 line shows it's trying to authenticate with PAP even though I specified MSCHAPV2. If I turn PAP on in the NPS, then it authenticates fine but I don't want to authenticate with PAP. I've also tried pointing the IT wifi SSID to DC_RADIUS but it still authenticates only with PAP even though it works the other way with the domain wifi. I've looked at the config for the domain SSID wifi and IT SSID wifi and they are identical.
Oddly enough, DC_RADIUS which doesn't have an auth defined would be set to any. From the documentation this should cycle through different auth methods starting with PAP and then moving to MSCHAPv2. Even though DC_RADIUS is setup as any, it auths with MSCHAPV2 first (which is what I want) which succeeds and allows log in when connected to the domain wifi:
2025-11-04 08:53:17 [810] __rad_auth_ctx_insert-Loaded RADIUS server 'DC_RADIUS'
2025-11-04 08:53:17 [923] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
2025-11-04 08:53:17 [301] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
2025-11-04 08:53:17 [1133] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
2025-11-04 08:53:17 [1156] __rad_chk_resp_authenticator-ret=0
2025-11-04 08:53:17 [1231] fnbamd_rad_validate_pkt-RADIUS resp code 2
Also, I'm setting up the second radius auth because I need it setup to use a different remote group with the NPS.
Any help would be appreciated.
Labels:
- Labels:
-
FortiGate
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should not be using MS-CHAPv2 in 2025. It uses broken encryption. How are you handling EAP certificate trust?
Labels
-
FortiGate
10,828 -
FortiClient
2,216 -
FortiManager
908 -
FortiAnalyzer
692 -
5.2
687 -
5.4
638 -
FortiSwitch
599 -
FortiClient EMS
589 -
FortiAP
569 -
IPsec
448 -
6.0
416 -
SSL-VPN
394 -
FortiMail
381 -
5.6
362 -
FortiNAC
302 -
FortiWeb
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
187 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
121 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
113 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
SAML
79 -
Routing
79 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
Certificate
72 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
58 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
49 -
Virtual IP
45 -
Logging
44 -
FortiDNS
43 -
SSL SSH inspection
40 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2737 | |
| 1418 | |
| 812 | |
| 739 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.