Hello, First of all, sorry for my english if there is some mistakes. I'm trying to set up an authentication between a freeradius 3.0 server and a Samba 4 AD using ntlm_auth. I apply the configuration from deployingradius.com/documents/configuration/active_directory.html but i got an error when testing with the "radtest -t mschap user passwd 127.0.0.1 0 testing123" command. Here is the issue of the freeradius -X debug : (11) Received Access-Request Id 115 from 127.0.0.1:60705 to 127.0.0.1:1812 length 143 (11) User-Name = "dupalutb@esiee.fr" (11) NAS-IP-Address = 127.0.1.1 (11) NAS-Port = 0 (11) Message-Authenticator = 0xe7c32a18a131310841e6f149e528647b (11) MS-CHAP-Challenge = 0x9aa1c8732f3e45a9 (11) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c93d69617f9ccbf98d1b673b2d75a401034e14ac56100964 (11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/eduroam (11) authorize { (11) if (!(User-Name =~ /@/)){ (11) if (!(User-Name =~ /@/)) -> FALSE (11) if (User-Name =~ /@$/){ (11) if (User-Name =~ /@$/) -> FALSE (11) if (User-Name =~ /@.+?@/){ (11) if (User-Name =~ /@.+?@/) -> FALSE (11) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){ (11) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE (11) if (User-Name =~ /@[\\.-]/){ (11) if (User-Name =~ /@[\\.-]/) -> FALSE (11) if (User-Name =~ /@.+?[\\.-]$/){ (11) if (User-Name =~ /@.+?[\\.-]$/) -> FALSE (11) if (User-Name =~ /@[^\\.]+$/){ (11) if (User-Name =~ /@[^\\.]+$/) -> FALSE (11) if (User-Name =~ /@.+?\\.\\./){ (11) if (User-Name =~ /@.+?\\.\\./) -> FALSE (11) if (User-Name =~ /@myabc\\.com$/i){ (11) if (User-Name =~ /@myabc\\.com$/i) -> FALSE (11) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){ (11) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE (11) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (11) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (11) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (11) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (11) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (11) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (11) if (User-Name =~ /@\\.?ac\\.uk$/i){ (11) if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE (11) if (User-Name =~ /@.+?\\.ax\\.uk$/i){ (11) if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE (11) [preprocess] = ok (11) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (11) auth_log: --> /var/log/freeradius/radacct/ 127.0.0.1/auth-detail-20180703 (11) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20180703 (11) auth_log: EXPAND %t (11) auth_log: --> Tue Jul 3 17:36:31 2018 (11) [auth_log] = ok (11) policy operator-name.authorize { (11) if ("%{client:Operator-Name}") { (11) EXPAND %{client:Operator-Name} (11) --> (11) if ("%{client:Operator-Name}") -> FALSE (11) } # policy operator-name.authorize = ok (11) policy cui.authorize { (11) if ("%{client:add_cui}" == 'yes') { (11) EXPAND %{client:add_cui} (11) --> (11) if ("%{client:add_cui}" == 'yes') -> FALSE (11) } # policy cui.authorize = ok (11) [chap] = noop (11) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (11) [mschap] = ok (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: Looking up realm "esiee.fr" for User-Name = "dupalutb@esiee.fr" (11) suffix: Found realm "esiee.fr" (11) suffix: Adding Stripped-User-Name = "dupalutb" (11) suffix: Adding Realm = "esiee.fr" (11) suffix: Authentication realm is LOCAL (11) [suffix] = ok (11) eap: No EAP-Message, not doing EAP (11) [eap] = noop (11) files: users: Matched entry DEFAULT at line 1 (11) [files] = ok (11) [expiration] = noop (11) [logintime] = noop (11) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (11) pap: WARNING: Authentication will fail unless a "known good" password is available (11) [pap] = noop (11) } # authorize = ok (11) Found Auth-Type = mschap (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (11) authenticate { (11) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (11) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (11) mschap: Client is using MS-CHAPv1 with NT-Password (11) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (11) mschap: ERROR: MS-CHAP2-Response is incorrect (11) [mschap] = reject (11) } # authenticate = reject (11) Failed to authenticate the user (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (11) Post-Auth-Type REJECT { (11) attr_filter.access_reject: EXPAND %{User-Name} (11) attr_filter.access_reject: --> dupalutb@esiee.fr (11) attr_filter.access_reject: Matched entry DEFAULT at line 11 (11) [attr_filter.access_reject] = updated (11) [eap] = noop (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # Post-Auth-Type REJECT = updated (11) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (11) Sending delayed response (11) Sent Access-Reject Id 115 from 127.0.0.1:1812 to 127.0.0.1:60705 length 61 (11) MS-CHAP-Error = "\000E=691 R=1 C=32c072eb4937c259 V=2" Waking up in 3.9 seconds. (11) Cleaning up request packet ID 115 with timestamp +545 It seems that radius try to use mschap authentication method instead of ntlm_auth. Where did i make a mistake ? Thanks in advance for your suggestions. Regards , *Benjamin Dupalut* Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr