MSCHAP module returns OK, authentication fails..

Alan DeKok aland at
Tue Aug 26 18:03:18 CEST 2008

James Yale wrote:
> Perhaps someone can help, I'm trying to setup FreeRADIUS as a
> cheaper/more flexible alternative to buying a Win2k3 Enterprise
> licence to do PEAP/MSCHAP for wireless clients but seem to be having a
> problem after the MSCHAP module is run.

  See for howto's on getting EAP configured
in a few simple steps.

> I'm using a MacOS as a test client, which connects to the wireless
> network, prompts about an invalid certificate chain for the SSL cert
> (suggesting that TLS is working) and then prompts for credentials. The
> credentials seem to get to radiusd okay, the identity is referenced in
> the debug logs and the authentication (via ntlm_auth) seems to work
> okay aswell, returning 0 and reporting success, however after this
> point everything seems to stop. The MacOS client reports that
> authentication has failed at this point.

  Because it doesn't like the server certificate.  Install the server
certificate (or CA.der) on the MAC client.  It should then work.

> All of my tests produce the same result, with the MSCHAP module
> returning success and then (seemingly) nothing happening. I've also
> tested with eapol from wpa_supplicant, which produces the same effect.

  This is in the FAQ and in the comments in raddb/eap.conf.  The simple
summary is that the client doesn't like the server, and has chosen to
stop talking to it.

  In this case, it's because the invalid certificate error you're seeing.

  Alan DeKok.

More information about the Freeradius-Users mailing list