Hi, I purged my configuration and started it again from the default state. The system is Debian Bullseye. dpkg --purge freeradius freeradius-ldap freeradius-krb5 freeradius-common freeradius-utils freeradius-config apt install freeradius freeradius-ldap freeradius-krb5 freeradius-common freeradius-utils freeradius-config mkdir /var/log/freeradius/radacct I've created vpn user before. I started the setup now according to this: https://wiki.freeradius.org/guide/freeradius-active-directory-integration-ho... ntlm_auth --request-nt-key --domain=ad --username=vpn OK. setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged clients.conf: client localhost { ipaddr = 127.0.0.1 netmask = 32 secret = xyz shortname = localhost } mods-available-mschap: mschap { with_ntdomain_hack = yes ... winbind_username = "%{mschap:User-Name}" ##winbind_domain = "%{mschap:NT-Domain}" winbind_domain = "ad.ourdomain.hu" Why "%{mschap:NT-Domain}"doesn't work? mods-available/eap: default_eap_type = peap In tls-config tls-common { : random_file = /dev/urandom In the users file: bob Cleartext-Password := "asdfg", MS-CHAP-Use-NTLM-Auth := 0 Reply-Message := "Hello, %{User-Name}" Testing: radtest -x -t mschap vpn "qwert" localhost 0 asdfg Debug messages: (3) Received Access-Request Id 205 from 127.0.0.1:54834 to 127.0.0.1:1812 length 129 (3) User-Name = "vpn" (3) NAS-IP-Address = 1.2.3.4 (3) NAS-Port = 0 (3) Message-Authenticator = 0xd38e4b9f5882a26aac2b6c434193ce2c (3) MS-CHAP-Challenge = 0xf5cbfa7a17cd01a9 (3) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000018e5b4331f9534d83e07def8a29c802dfd30a011e2e6224a (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (3) [mschap] = ok (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "vpn", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = ok (3) Found Auth-Type = mschap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password (3) mschap: EXPAND %{mschap:User-Name} (3) mschap: --> vpn rlm_mschap (mschap): Reserved connection (7) (3) mschap: sending authentication request user='vpn' domain=' ad.ourdomain.hu' rlm_mschap (mschap): Released connection (7) Need 1 more connections to reach min connections (3) rlm_mschap (mschap): Opening additional connection (9), 1 of 30 pending slots used (3) mschap: Authenticated successfully (3) mschap: adding MS-CHAPv1 MPPE keys (3) [mschap] = ok (3) } # authenticate = ok Why vpn@ad.ourdomain.hu doesn't work? radtest -x -t mschap vpn@ad.ourdomain.hu "qwert" localhost 0 asdfg Debug messages: (4) Received Access-Request Id 203 from 127.0.0.1:34360 to 127.0.0.1:1812 length 145 (4) User-Name = "vpn@ad.ourdomain.hu" (4) NAS-IP-Address = 1.2.3.4 (4) NAS-Port = 0 (4) Message-Authenticator = 0x6f31019a0d498b004da273a6cdf4dae3 (4) MS-CHAP-Challenge = 0x0c602d2a989f07bd (4) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005fe2f91d70356771e4af8a27ddcfec463f235dfcf04e7e31 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ad.ourdomain.hu" for User-Name = " vpn@ad.ourdomain.hu" (4) suffix: No such realm "ad.ourdomain.hu" (4) [suffix] = noop (4) eap: No EAP-Message, not doing EAP (4) [eap] = noop (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) mschap: Client is using MS-CHAPv1 with NT-Password (4) mschap: EXPAND %{mschap:User-Name} (4) mschap: --> vpn@ad.ourdomain.hu rlm_mschap (mschap): Closing connection (8): Hit idle_timeout, was idle for 772 seconds rlm_mschap (mschap): You probably need to lower "min" rlm_mschap (mschap): Reserved connection (7) (4) mschap: sending authentication request user='vpn@ad.ourdomain.hu' domain='ad.ourdomain.hu' rlm_mschap (mschap): Released connection (7) Need 1 more connections to reach min connections (3) rlm_mschap (mschap): Opening additional connection (10), 1 of 30 pending slots used (4) mschap: ERROR: The specified account does not exist. [0xC0000064] (4) mschap: ERROR: MS-CHAP2-Response is incorrect (4) [mschap] = reject (4) } # authenticate = reject (4) Failed to authenticate the user Thanks, Tamas Pisch.