adding mschap to an existing ttls/pap setup

Alan DeKok aland at
Thu Apr 12 18:02:08 CEST 2012

Brian Gold wrote:
> We currently have an existing freeradius setup using eap-ttls/pap with an openldap backend. Up until now, our userPassword has
> always been SHA encoded. I've been working to add sambaNTPassword hashes so that we can use either eap-ttls/mschap or peap/mschap.
> I've got the nt hashes set, but I'm having some difficulty getting freeradius to successfully authenticate. 
> Output from "radtest -t mschap username password localhost 0 secret":

  The NT hash doesn't match the supplied password.

> output from "radtest -t pap username password localhost 0 secret":

  In which you've forced "Auth-Type := LDAP", which means it's ignoring
the NT hash.

  Don't do that.

  Use the "smbpasswd" program supplied with FreeRADIUS to create the NT
hash.  Use a simple password like "test".  That also means you don't
need to worry about pasting it to the list.

  Put the password into the "users" file.  Test it with PAP && MS-CHAP.
 CHECK TO MAKE SURE it's using the password.  i.e. not LDAP.

  Then... delete the password from the users file, and put it into LDAP.
Check also that you're not setting "Auth-Type := LDAP"

  You're trying to fix a problem which has a lot of pieces.  Some of the
pieces are configured wrong, which means it's impossible to figure out
the *other* pieces.

  Solve one problem at a time.

  Alan DeKok.

More information about the Freeradius-Users mailing list