Alan DeKok wrote:
The *client* has to supply the MS-CHAP magic using the LAN-manager password. Since the client always chooses NT-hashed passwords... using LAN manager passwords is not possible.
From the README is src/modules/rlm_mschap ***** The method just described is called NT-encryption by the RFC. MS-CHAP is actually designed for compatability with Microsoft LAN Manager as well. The response returned by the client actually contains an LM encrypted response as well as the NT-encrypted password. This implementation only uses the NT-encrypted response, which seems to work fine for Windows 98 and Windows 2000. ***** So it seems more a limit of the server. Could it be possible to see in the debug if the two encrypted pwd are available ? if thy're there it could be possible to write a patch and, possibly, to attach directly to the AD (which seems to make that LM pwd available).