Hi all, Thanks Arran and Alan for your responses. I'll see if I can get Freeradius to bind to LDAP as the user that is authenticating, and depending on the result, succesfully auithenticate the user. Thanks, Maarten ________________________________________ From: Freeradius-Users <freeradius-users-bounces+freeradius-list=servervault.nl@lists.freeradius.org> on behalf of Arran Cudbard-Bell <a.cudbardb@freeradius.org> Sent: Thursday, September 21, 2017 10:47 AM To: FreeRadius users mailing list Subject: Re: Using existing NTLM hashes rlm_ldap no longer strips off password headers (as it did in v2). {ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash. You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server. rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list. We should probably move this out into a separate module in v4, but that's the way it's done for v3. -Arran