Authentication with mschap

Eric Bourkland eric.bourkland at trustedconcepts.com
Fri Aug 14 15:40:08 CEST 2009


Need some help pointing me in the right direction.  I think I know what the problem is but I don't know where to look.  I think the problem is my freeRadius server and openLDAP server are not talking perfectly.

I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software.  
One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x000000...

It looks like it is trying the correct authentication

...
Told to do MS-CHAPv2 for test.user with NT-Password
FAILED: No NT/LM-Password. Cannot perform authentication.
FAILED: MS-CHAP2-Response is incorrect.
...

and then error message
peap got tunnel reply code3
MS-CHAP-Error = "\007E=691 R=1"

Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format
and there is a maping in ldap.attrmap
checkItem  NT-Password   sambaNtPassword

I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no.  The only thing I've done is uncomment a few things so that it will use ldap.  And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience.

If anyone can point me in the right direction I would greatly appreciate it.

Thanks,



More information about the Freeradius-Users mailing list