On 26.07.19 21:34, J Kephart wrote:
Let me see if I can be a little more clear. I'm pretty sure that, reading the debug output, the problem is that the user password is not present in the packet that FR receives from the NAS.
MSCHAP is a Challenge-Response protcol, there is *no* password coming from the NAS. Everything the protocol does is contained in MS-CHAP-Challenge and MS-CHAP2-Response. Both the client and the server need the cleartext-password (or the NT/LM-Hash for MSCHAP) to be able to do the math for the handshake. The server complains it has no Cleartext-Password or NT-Hash or LM-Hash in the data it got from the database and thus rejects the client, because there is nothing more it can do. Solution: You need to have the users cleartext-password in your database. And just in case the question comes up: no, it can't be hashed or encrypted. If you want to do *any* challenge-response protocol like MSCHAP, the server needs the cleartext-password, there is no mathematical way around this. Grüße, Sven.