Help with proxy settings please

Phil Mayers p.mayers at
Thu Jan 12 14:37:38 CET 2012

On 01/12/2012 01:23 PM, lmgo5991 wrote:
> Hi,
> Could someone please shed some light on the where we are going wrong.  We
> have followed the documentation provided however it is unclear where to
> reference our internal ad servers.

Your subject line is a bit confusing. You say "proxy settings" but I see 
no evidence that you are doing any proxying; you appear to just be doing 
normal local authentication.

It seems you are trying to do PEAP/MSCHAP. Validating MSCHAP requires 

  1. The NT hash
  2. The plaintext password, from which the NT hash can be generated
  3. Access to a 3rd party machine that can check the challenge/response 
for you


If your account details are stored in active directory, you can only use 
option 3. This translates into:

  1. Install Samba
  2. Join Samba to the domain
  3. Start winbind
  4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the 
AD controllers


> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: radldapuser at
> [mschap] Told to do MS-CHAPv2 for radldapuser at with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect

As you can see, FreeRADIUS can't check  your password because it doesn't 
know it.

Note: you CANNOT USE LDAP to solve this problem. Active Directory does 
not expose the required data over LDAP. You MUST use Samba & ntlm_auth.

Hope this helps.


More information about the Freeradius-Users mailing list