Hi List. I have a Q about MS-CHAP and MPPE configuration for FreeRADIUS. OS and software versions Servers OS Solaris 9 SPARC FreeRADIUS 1.0.2 OpenLDAP 2.2.24 SAMBA 3.0.11 Network gateways Cisco PIX 506, IOS 6.3(4) PPTP VPN Clients Windows 2K/XP, MAC OSX. The RADIUS server we're talking about is a secondary LDAP server and SAMBA BDC as well. I'd like to use this FreeRADIUS as a username/password backend for PPTP VPN clients. VPN hub in my case is Cisco PIX device, which supports AAA RADIUS for PPTP VPDN groups. PPTP VPN against Cisco PIX works perfectly well with local authentication, i.e when usernames/passwords are configured locally on PIX. The RADIUS is already configured with OpenLDAP as a backend, authenticating against userPassword attribute. This part works OK. The OpenLDAP server is also a backend for my SAMBA domain controller, the same domain I'm trying to use for user logins via PPTP VPN. All users have both POSIX and SAMBA attiributes in LDAP. The following chain works. Cisco VPN clients --- NAS --- RADIUS --- LDAP This one doesn't PPTP VPN clients --- NAS --- RADIUS --- SAMBA --- LDAP I have configured RADIUS server as following (omitted some lines here). Modules section mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = localhost basedn = "ou=People,dc=orcsoftware,dc=com" filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no password_attribute = userPassword } authorize { preprocess auth_log reply_log mschap suffix ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } For PPTP logins it doesn't work for user MYDOMAIN\username and the server says (omiting the beginning of debug) Fri Jun 3 12:50:37 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: Told to do MS-CHAPv1 with NT-Password Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: MS-CHAP-Response is incorrect. My Q is: should I use ntlm_auth program for getting NTLM passwords? If yes, should my RADIUS server be join a SAMBA domain which it is trying to use? Actually I'm a bit confused here and highlighting how RADIUS obtains or generates MPPE keys might be heplful. Any hints or useful URLs would be highly appreciated. Cheers, A.