Authentication Problem with PEAP and openldap

Michael Poser m.poser at
Mon Jan 12 11:16:32 CET 2009

Hello Alan,

thank you for your reply.

The mapping of the NT-Password describe exactly our problem. We cannot find
the right passage in the radius config to do this. Maybe you can give as a
little hint, this would be very kindly.

Best Regards, Michael

> native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate
> freeradius against openldap with an md4 encoded utf-16e password hash. The
> authentication fails. If we use the hash instead of the clear-text
> with the xp client, the authentication works fine. There must be some
> problems with the encryption of the password. How do we fix the problem?
> help is appreciated.

  You may have the NT hash of the password in the LDAP database, but
you're telling FreeRADIUS it's the clear-text password:
> rlm_ldap: performing search in ou=XXX,ou=XXX,o=XXX,dc=XXX,dc=de, with
> (uid=plisch01)
> rlm_ldap: Added password 4183... in check items

  You want to map this to the NT-Password attribute.

  Alan DeKok.

Michael Poser,
HRZ - Abteilung Netze  

More information about the Freeradius-Users mailing list