MSCHAP module returns OK, authentication fails..

Alan DeKok aland at
Wed Aug 27 13:35:19 CEST 2008

James Yale wrote:
> With a default configuration EAP works with a user specified in the
> users file with a cleartext password
> ( *-success.log files).
> This works via eapol and a Mac test client.


> As soon as I enable the MSCHAP module (uncommenting the ntlm auth
> line) all authentication queries the AD here, so the locally
> configured user fails. When I try a user configured in the AD I'm
> getting:
> EAP-MSCHAPV2: Invalid authenticator response in success request

  Upgrade Samba.  If you're not using at least 3.2.1, upgrade to that.

> *-failure.log), the
> message authenticator does seem to be invalid,

  No.  eapol_test is saying that the MSCHAP response is invalid.

> Has anyone seen this problem before, or am I looking in the wrong place?

  Others have seen exactly the same thing in the past weeks.  Upgrading
Samba fixed it.

  Alan DeKok.

More information about the Freeradius-Users mailing list