Re: MSCHAPv2 Module with Stripped-Username - no ActiveDirectory

Markus Maurer lists at
Mon Nov 12 12:34:46 CET 2018

Mon Nov 12 11:04:40 2018 : Debug: (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key *--username=%{Stripped-User-Name}* --domain=%{%{mschap:NT-Domain}:-EXAMPLEDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:

Am Montag, November 12, 2018 10:27 CET, Adam Bishop <Adam.Bishop at> schrieb:
 On 11 Nov 2018, at 20:56, Markus Maurer <lists at> wrote:
> Hmm... Meanwhile I think that you didn‘t understand the problem. You’re just talking around the problem, not about the problem neither trying to help solving it...

I'm reasonably sure the maintainer of the server has a better idea of how it works than yourself.

> The nt hash is calculated from the password, not from the username

That's 100% correct, but unfortunately 100% unrelated.

MSCHAP uses the username to create the *challenge hash* not the *NT hash*. If you change the username, the authentication process fails because you've changed the challenge hash.

You *cannot* make this work using MSCHAP and AD.

If you want to use OTP you have to change EAP method, or as Alan told you several messages ago, store clear text passwords.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

List info/subscribe/unsubscribe? See


This email was Malware checked by UTM 9.

More information about the Freeradius-Users mailing list