Hi all, first of all thanks for your great help in my past questions! Sadly, I have yet another one, that I can not quite figure out. Maybe I missed something, I don’t know. I tried looking for past list-threads, to no avail. When my Windows client connects to the WiFi and subsequently to the FreeRADIUS server, it first authenticates via machine authentication (host/HOSTNAME.MYDOMAIN.COM). This fails and the client cannot connect to the WiFi: (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: Client is using MS-CHAPv2 (6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) eap_mschapv2: [mschap] = reject (6) eap_mschapv2: } # authenticate = reject However, if I manually configure the WiFi on my Windows device to only use user authentication, it works flawlessly (as expected): (14) eap_mschapv2: authenticate { (14) mschap: Creating challenge hash with username: calvin.haertl (14) mschap: Client is using MS-CHAPv2 (14) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (14) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (14) mschap: --> --username=MYUSERNAME (14) mschap: Creating challenge hash with username: MYUSERNAME (14) mschap: Program returned code (0) (14) mschap: Adding MS-CHAPv2 MPPE keys (14) eap_mschapv2: [mschap] = ok (14) eap_mschapv2: } # authenticate = ok (14) eap_mschapv2: MSCHAP Success (14) eap: Sending EAP Request (code 1) ID 9 length 51 My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest. Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me? Kind regards, Calvin