problems authenticating

jck-freeradius at jck-freeradius at
Tue Jul 12 00:05:47 CEST 2005

On Mon, Jul 11, 2005 at 05:26:54PM -0400, Alan DeKok wrote:
> jck-freeradius at wrote:
> >   rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
> >   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   That's pretty definitive.

I thought so as well.  I am 99% sure that the NTLM passwords I am
using are valid.

> > My thoughts are that SQL and MSCHAP should be in the authorization section,
> > and MSCHAP and EAP should be in authentication.
>   "eap" should be in the "authorize" section, too.  That's the way the
> server comnes configured.

radiusd.conf now reads, in part:

authorize {

authenticate {
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {


> > I am storing NTLM passwords in my SQL server.
> ...
> > | 1490 | johnk    | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
>   No, you're not.
>   You're telling the server that the clear-text password is a hex
> string, which it's not.
>   If you want to store the NT-hashed passwords in SQL, use the
> "NT-Password" attribute, and ensure that the value is 32 bytes of hex
> data.

When using NT-Password, I was noticing that the sql authorization phase
would not return OK.  Switching it to User-Password seemed to fix that
(albeit not correctly).  I have switched radcheck back to using Attributes
of NT-Password.

>   But before you do that, I would STRONGLY suggest storing a simple
> clear-text password in SQL, like "test".  Verify that it works, and
> THEN start storing NT password.

I have a test account, named testacct.  I have switched his values in radcheck
to "Password == monkey"

host:/etc/raddb # radtest testacct monkey host:1645 0 testing123
Sending Access-Request of id 77 to
        User-Name = "testacct"
        User-Password = "monkey"
        NAS-IP-Address = hecate
        NAS-Port = 0
rad_recv: Access-Accept packet from host, id=77, length=37
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Tunnel-Private-Group-Id:0 = "111"
host:/etc/raddb # 

>   By trying to configure 3 things at the same time, you guarantee that
> you can't possible figure out which one of the three is failing.


I am including two URLs.  One with debug logs showing user 'johnk'
trying to AAA, using NT-Password.  The other shows testacct 
 (using the same supplicant as johnk, XP) using Password (cleartext).

NT-Password, logging in as johnk:

Password, logging in as testacct:

Notice that with changing the Attribute in radcheck to Password, and assigning
the Value a cleartext, Access-Accept is generated.


More information about the Freeradius-Users mailing list