Help
Wireless Controller
Dedicated Wi-Fi control and management for high density and mobility
nmichael
Staff
Staff

Created on ‎04-21-2017 03:13 AM

Article Id 190741

Technical Note: Radius authentication with FortiConnect fails with error: mschap2 response is incorrect

Description
This article addresses Windows clients failing RADIUS authentication with FortiConnect with the error: mschap2 response is not correct.

Scope
FortiConnect v16.7

Solution
This may occur because the Active Directory used on FortiConnect uses NTLMv2 as it is more secure than NTLMv1.  FortiConnect uses Free Radius that supports only NTLMv1 and not NTLMv2.

This issue can be resolved only if NTLMv1 is enabled on Active Directory.  However, many users will prefer not to use this option as NTLMv1 is more vulnerable to security attacks.

In this case, one of the following options can be used:

1.)  Use EAP-TLS authentication instead of EAP-PEAP MSCHAPV2.

2.)  MCT should use RADIUS authentication policy instead of AD authentication policy.   However, in this case it will not be possible to use MCT features.

1333
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.