Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 29, 2010 11:55 AM
Hello there.
We have Windows Server 2008 R2 server with Network Policy Server role installed (among other roles like ADCS, ADDS and DNS). We have defined the required RADIUS client and Connection Request and Network Policies. The RADIUS client is a Fortinet Fortigate 60B firewall with 3.00-b5101(MR5 Patch 2) software version.
The problem is that MS-CHAP-v2 authentication doesn’t work. On the other hand PAP does work.
The actual question is if the “NULL SID” value for User Security ID is a feature of MS-CHAP-v2 authentication or does it suggest a fault at the RADIUS client. Does it hint that the user wasn't authenticated successfully even though PAP authentication for the very same RADIUS sessions worked fine with the same username and password. The working PAP authentication has a proper value as User SID. I would be grateful for successful MS-CHAP-v2 authentication log examples or any other related tips.
I couldn’t find any successful MS-CHAP-v2 logs on the Internet to compare to.
According to Fortinet’s support the fault lies at NPS but I’m not yet buying that a Fortigate device has more functional MS-CHAP-v2 support than a Microsoft’s own product.
Thanks in advance.
***
Unsuccessful MS-CHAP-v2 attempt
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: karrir
Account Domain: TEST
Fully Qualified Account Name: TEST\karrir
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.128.1.84
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: natter
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: Fortigate Firewall
Client IP Address: 10.128.0.68
Authentication Details:
Connection Request Policy Name: Fortigate User Access
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: test-dc-1.test.lan
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: 3030324530303731
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
***
Successful PAP authentication
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: TEST\karrir
Account Name: karrir
Account Domain: TEST
Fully Qualified Account Name: TEST\karrir
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.128.1.84
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: natter
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: Fortigate Firewall
Client IP Address: 10.128.0.68
Authentication Details:
Connection Request Policy Name: Fortigate User Access
Network Policy Name: Fortigate User Access
Authentication Provider: Windows
Authentication Server: test-dc-1.test.lan
Authentication Type: PAP
EAP Type: -
Account Session Identifier: 3030324530303733
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
***
All replies (3)
Wednesday, April 28, 2010 12:26 PM ✅Answered
Just wanted to let everyone know that the problem lies definitely with Fortigate as it doesn't work with other tried RADIUS services either using MS CHAP v2.
Fortinet's own support is finally looking into issue.
Thursday, March 25, 2010 11:08 AM
Hello KarriR,
I had nearly the same problem. The radius server allowed only PAP:
I'm using Windows Server 2008
Check your configured Network Policy in the NPS (local):
- Tab 'Constraints' -> 'Authentication Methods': Check the requested authentication methods (I marked ms-chap-v2, ms-chap, chap and pap) (Befor only pap was checked)
After that it worked fine.
Thursday, June 14, 2012 10:16 AM | 1 vote
Hi, We had this same problem
Open up Network Policy Server. Navigate to your RADIUS client ,right-click Properties navigate to the advanced tab then under additional options ,uncheck 'Access-Request messages must contain the message-Authenticator attribute' and check 'RADIUS client is NAP-capable'