I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html The following software is installed on a Centos 6 VM: - Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind. I successfully performed basic configuration tests with the 'eapol_test' command for: - PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5. I've created production certificates & successfully tested for the above protocols. Installed Kerberos 1.8.2 & tested that successfully. I started to configure FreeRadius with AD and successfully tested it to use ntlm_auth. I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" in the deployment process. This stage says: 1) "... delete the testing entry used above from the users file, ...", which I've done. 2) "... fine (sic) the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It ... should be uncommented, ...", which I've done. 3) "Start the server ..." I ran 'radiusd -X'. 4) "... and use a test client to send an MS-CHAP authentication request." I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123'. I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: <snip> [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject <snip> The 'eapol_test' output reflects this: <snip> EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME EAP-MSCHAPV2: Generating Challenge Response MSCHAPV2: Identity - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: Username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96 ef 45 15 32 MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 MSCHAPV2: username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: password - hexdump_ascii(len=20): 77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD 6e 69 63 61 MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7 d0 72 fb e6 95 b3 ef d1 MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72 da 98 72 EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41 31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64 75 72 6f 61 6d 74 65 73 74 <snip> RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE The peap-mschapv2-cert-ntlm_auth.conf file contains: # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # eapol_version=1 fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" # anonymous_identity="anonymous" password="PASSWORD" phase2="auth=MSCHAPV2" priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } The file /etc/raddb/modules/mschap contains: # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CAMPUS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } /etc/raddb/users contains (commented lines removed for clarity): # DEFAULT Auth-Type = ntlm_auth # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP /etc/raddb/sites-enabled/default, a link to ../sites-available/default, contains (most commented lines removed): authorize { preprocess chap mschap # digest # wimax # IPASS suffix # ntdomain eap { ok = return } unix files # sql # etc_smbpasswd # ldap # daily # checkval expiration logintime pap # Autz-Type Status-Server { # # } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam unix # Auth-Type LDAP { # ldap # } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } ntlm_auth } preacct { preprocess # update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } acct_unique # # IPASS suffix # ntdomain files } accounting { detail # daily unix radutmp # sradutmp # main_pool # sql # if (noop) { # ok # } # sql_log # pgsql-voip attr_filter.accounting_response # Acct-Type Status-Server { # # } } session { radutmp # sql } post-auth { # main_pool # reply_log # sql # sql_log # ldap exec # wimax Post-Auth-Type REJECT { # sql attr_filter.access_reject } } pre-proxy { # attr_rewrite # files # attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } } /etc/raddb/sites-enabled/inner-tunnel, a link to ../sites-available/inner-tunnel, contains (commented lines removed): server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap unix # IPASS suffix # ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files # sql # etc_smbpasswd # ldap # daily # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam unix # Auth-Type LDAP { # ldap # } eap ntlm_auth } session { radutmp # sql } post-auth { # reply_log # sql # sql_log # ldap Post-Auth-Type REJECT { # sql attr_filter.access_reject } } pre-proxy { # attr_rewrite # files # attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } } } # inner-tunnel server block However, it's not clear to me where the problem lies. I've attached various files to illustrate the problem. Can anyone point me in the direction of a solution? I've not included full versions of the output due to the mailing list's message size limit. Please let me know if I've not included sufficient information to diagnose the problem. Cheers Martin. P.S. I've hidden the actual username & password used.