Steve,
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured.... I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output:
<snip>
rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "burst01" with CHAP password rlm_chap: Could not find clear text password for user burst01 modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0
You can't do this. If you want to do ntlm_auth, you need to use an authentication protocol that provides FreeRADIUS with either the user's (1) cleartext credentials or (2) the user's NT credentials. CHAP won't work - it's impossible. However PAP will work, as will MS-CHAP. CHAP is different from MS-CHAP. best regards, josh.