i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64 the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. this is the log from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 49338, id=12, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser1" MS-CHAP-Challenge = 0x09235ac983790fedc6ccf93af69b67bf MS-CHAP2-Response = 0x5e004a81f91bcf75cd6452c64bd587a74f210000000000000000ff5eaa8a5df6639683423ed294074ceb705105d5d762932d Calling-Station-Id = "***.***.***.***" - edited out NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "testuser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [ldap] performing user authorization for testuser1 [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> testuser1 [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser1) [ldap] expand: dc=my-domain,dc=com -> dc=my-domain,dc=com - edited out [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=my-domain,dc=com, with filter (uid=testuser1) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}YQwkujoqTZAKF1Jl1e1JRxKKvDVVRGYv" [ldap] sambaNtPassword -> NT-Password == 0x3331443643464530443136414539333142373343353944374530433038394330 [ldap] looking for reply items in directory... [ldap] user testuser1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 12 to 127.0.0.1 port 49338 MS-CHAP-Error = "^E=691 R=1 C=50685502b0ea6334450d0cd8077ac242 V=3 M=Re-enter (or reset) the password" Waking up in 4.9 seconds. Cleaning up request 4 ID 12 with timestamp +801 Ready to process requests.