Authentication with mschap

Eric Bourkland eric.bourkland at
Mon Aug 17 19:48:15 CEST 2009

It looks like I might have figured it out, I had commented out the line I had added that I actually needed.  I wasn't telling Radius where to look in LDAP for the password field.

I can get my windows XP laptops to connect without a problem, still having a bit of a problem with the Mac laptops since they have a few more options available to them, it is trying to do authentication other than PEAP/MSChapv2.  Looks like EAP which won't work with the clear-text password.  So just need to figure out how to set their request up properly.

Is there a way for freeRadius to check both? for instance windows machines use the MSCHAPv2 and then Mac machines use pap or something else?  I would think that this would work without a problem but need to configrm.  Is it smart enough to know that if the request comes in from a Mac or someone with SecureW2 that it can do PAP and from Windows the request to use MSCHAPv2, it looks like it goes through every possible configuration and checks anyway.  


----- Original Message -----
From: "Alan DeKok" <aland at>
To: "FreeRadius users mailing list" <freeradius-users at>
Sent: Monday, August 17, 2009 9:17:46 AM GMT -05:00 US/Canada Eastern
Subject: Re: Authentication with mschap

Eric Bourkland wrote:
> No Cleartext-Password configured.  Cannot create LM-Password
> No Cleartext-Password configured.  Cannot create NT-Password
> Told to do MS-CHAPv2 for test.user with NT-Password
> FAILED: No NT/LM-Password. Cannot perform authentication.
> FAILED: MS-CHAP2-Response is incorrect.

  Which is what you posted before.  This doesn't help.

> what it looks like to me is that Radius isn't getting the Cleartext-Password from the laptop client, I don't know if this the case or not.  the laptop client is Window's XP pro build and some Vista, and whatever else a guest may bring in.  I assumed that it would pass the password in the Cleartext-Password attribute when using the MS-CHAPv2, I need to confrim this.  I can get it to work if I install SecureW2 but I've been told that asking everyone to install it on the laptops isn't an option.
> This protocol is relatively new to me at least how all the various pieces of software handle it.
> I know I'm close I just need help being pointed in the right direction on where the disconnect is occuring.  right now I am pretty certain it is not between Radius and my openLDAP.

  The issue is that the NT password is NOT being read from LDAP, and is
NOT being given to FreeRADIUS.

  Read the REST of the debug output to see why.  Or failing that, post
the debug output here, as suggested in the FAQ, README, INSTALL, "man"
page, and nearly daily on this list.

  Posting the last 2-3 lines of "authentication failed" is nearly useless.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list