FreeRadius 2.1 + LDAP Authentication - mschap

Mackey, Theral tmackey at
Sat Jun 6 00:22:34 CEST 2009

[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for sminhas with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

Needs NT/LM passwords (or plain-text) for mschap to work. See perl's Crypt::SmbHash on CPAN for an easy way to generate the hash from plaintext. 
Look at the samba schema for openLdap, and probably want to compile the smbk5pwd module for openLDAP as well (in the contrib section of the source) to keep your pwds sync'd (also check pam/nssldap conf for passwd changes using LDAP-exop if you let shell accounts change pwds too).



Message: 7
Date: Fri, 05 Jun 2009 14:47:36 -0400
From: Nik Alleyne <nalleyne at>
Subject: FreeRadius 2.1 + LDAP Authentication
To: freeradius-users at
Message-ID: <20090605144736.cpa0ghg1wk4ok4gk at>
Content-Type: text/plain;	charset=ISO-8859-1

Hi Guys,
I'm hoping someone can help me, because I have been fighting with this issue for
days now.

FC10 + FreeRadius 2.1 + OpenLdap 2.4.

I've successfully setup Certificate Based authentication on my FreeRadius server
and that works well. My problem is I have some users I want to authenticate via
username and password (EAP-PEAP).

I configured FreeRadius for such and my radtest (Access-Accept) works as well as
my NTRadPing Utility (Access-Accept) when checked against the users in LDAP.
However, I cannot seem to get my Windows XP Wireless Clients to authenticate.
Please see my debug info below for a sample user "sminhas" who has a cleartext
LDAP password as "it". Thanks for the help.

----------------  radiusd -X  ---------------------..snip

More information about the Freeradius-Users mailing list