need help configuring ntlm_auth w/ freeradius 1.0.1

Alan DeKok aland at
Tue Jul 12 18:33:05 CEST 2005

"Ken George" <Ken.George at> wrote:
> Also, my final goal is to authenticate clients to a Cisco Aironet 1200
> via our Windows 2003 Active Directory usernames and passwords is
> ntlm_auth the correct method to use?


> Below are the ntlm_auth section of radiusd.conf and the radtest string
> used and the debug output from the other window.
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"

  That looks fine.

> radtest "test ops" xxxxxx localhost 0 testing123

  That doesn't use MSCHAPv2, so the MSCHAP module won't run, and the
ntlm_auth program won't run.

  If you want to pass *clear-text* passwords to ntlm_auth, you've got
to do something different.  The command-line example you posted works,
because you're giving it a clear-text password.  The mschap
configuration you posted uses mschap, and doesn't send a clear-text

  So... the mschap configuration you posted won't work with clear-text
passwords.  The debug output you posted shows this.  You use "radtest"
to send a clear-text password, and the mschap module doesn't run.
This shouldn't be a surprise.

  What you need to do is to configure a *different* ntlm_auth, only
for clear-text passwords.  The simplest way to do this is to use the
"exec" module:

modules {
	exec win_domain {
	     wait = yes
	     input_pairs = request
	     output_pairs = reply
	     program = "ntlm_auth --username=\"%{User-Name}\" --password=\"%{User-Password}\" --domain=usmisgne"

  Now list "win_domain" in the "authenticate" section, and add the
following entry to the "users" file:

DEFAULT	  Auth-Type = win_domain

  This will use "win_domain" for authentication UNLESS the mschap
module has previously found MSCHAP in the request.

  Alan DeKok.

More information about the Freeradius-Users mailing list