Hi, I am trying to make PEAP working with an LDAP/Samba backend and MSCHAPv2. It works well for the user authentication (they have lm and nt stored in the LDAP). However, the machine auth is causing issues. It appears to have only the NT-Password stored in the LDAP. I thought it should be sufficient for the MSCHAP to handle the auth, is it? ldap] looking for check items in directory... [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]" [ldap] userPassword -> Password-With-Header == "..." [ldap] ntPassword -> NT-Password == 0x34343446...242 [ldap] looking for reply items in directory... [ldap] user host/dti-dahport authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: host/dti-dahport [mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject My MSCHAP Config : mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } Any thoughts? Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)