Help for configuration 3.0.11

Philipp Trenz mail at
Thu Sep 29 16:14:14 CEST 2016

Thanks for your help! The main problem was to notice, that the ldap user has rights to 
search through ldap, but was denied to get the NT-Password Hash because its IP was not 
recognized. ldap authentification now runs like a charme!

Only thing left is, that freeradius seems not to close the ldap-connection. The ldap-admin 
says there are "error 11"s while the connection runs into a timeout and ldap then closes 
the connection after 60s or so. Any guesses where to start?
Freeradius is also configured to work with Accounting, is FR trying to hold the connection 
for setting attributes or something like this?

Thanks a lot!

P.S. I have to correct the version, it's a 3.0.12 build from last week.

Am Donnerstag, 29. September 2016, 13:32:33 CEST schrieb freeradius-users-
request at
> Message: 3
> Date: Thu, 29 Sep 2016 12:08:20 +0100
> From: Brian Candler <b.candler at>
> To: Philipp Trenz <mail at>,
>         freeradius-users at
> Subject: Re: Help for configuration 3.0.11
> Message-ID: <dd527617-ed09-10f3-1c63-9daa2b9f06d7 at>
> Content-Type: text/plain; charset=utf-8; format=flowed
> On 28/09/2016 18:21, Philipp Trenz wrote:
> > As I understand, PEAP gets processed within the outer default-virtual 
> > server and this passes the inner MS-CHAPv2 to inner-tunnel. Now I'm 
> > not shure if it has to be processed through the mschap-module or 
> > through ldap-module.
> Both.
> > If mschap-module where or when does freeradius get the NT-Password 
> > from LDAP? Does the mschap-module trigger the ldap-module?
> You use the ldap module during the "authorize" phase, which finds the 
> account and reads out the NT password hash. Then you use the mschap 
> module during the "authenticate" phase, which actually checks the 
> supplied password against the NT password hash.
> It is very important to remember that FreeRADIUS runs the authorize 
> modules *first*, and the authenticate modules at the end.
> There are a couple of good articles here, specifically for using 
> FreeRADIUS with a FreeIPA backend:
> freeipa.html
> service_accounts..html
> They also gives the fu required to get FreeIPA to store the ipaNTHash 
> attribute, and to selectively expose it to the RADIUS server.
> (You don't want to expose your NT password hashes to the whole world; 
> they are essentially plain text passwords in their own right.  A client 
> can use the NT password hash by itself to authenticate, without having 
> to brute force it)
> Regards,
> Brian.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.png
Type: image/png
Size: 56371 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Freeradius-Users mailing list