One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?

schilling schilling2006 at
Tue Dec 14 21:14:34 CET 2010

Got the whole setup working. So basically if users sign on with
username at with eap, they will be sent to ldap w/ ntpassword
authorization. If users sign on with username only with eap, they will
be sent to active directory w/ ntlm authentication.
configuration changes are the following:
etc/raddb/proxy.conf add
    realm {
    realm NULL {
/etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add
    switch "%{Realm}" {
        case {
            #see /etc/raddb/module/mschap if ntpassword available,
then do not use
            update control {
                MS-CHAP-Use-NTLM-Auth := NO
        case NULL {

etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate
with Active Directory howto.

Thanks for the great software, and can not wait to see the finish of
the book. There are so many internals to be understood.


On Wed, Dec 8, 2010 at 2:12 AM, Alan DeKok <aland at> wrote:
> schilling wrote:
>> Just to be sure. Both user(username and username at will use
>> eap, mschapv2 to authenticate. But there is only one mschap module in
>> etc/raddb/modules/?
>  So... configure another mschap module.
>  See raddb/modules/files for examples of configuring two instances of
> the same module.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list