Yet another multiple SSID setup question

Fajar A. Nugraha list at
Fri Jul 15 05:30:09 CEST 2011

On Fri, Jul 15, 2011 at 9:28 AM, Nick Kartsioukas
<lists.freeradius at> wrote:
> The LDAP queries are against the AD server, btw.  I forgot to paste the
> mschap module config, but that's pretty basic...
> mschap mschap_cuesta {
>        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA
>        --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
>        --challenge=%{mschap:Challenge:-00}
>        --nt-response=%{mschap:NT-Response:-00}"
> }

Ah, OK.

I think this will not work

authenticate {
       Auth-Type CUESTA {

... as it means "do eap, and AFTER THAT do mschap". That roughly means
mschap will be processed if eap does not return handled/success. What
you want is "do eap, and inside eap do mschap".

So try changing it to

authenticate {
       Auth-Type CUESTA {

and on the eap section, add the lines pointing to an inner tunnel,
something like this

       eap eap_cuesta {
               peap {
                       default_eap_type = mschapv2
                       copy_request_to_tunnel = no
                       use_tunneled_reply = no
                       virtual_server = "inner-tunnel-cuesta"

then create a NEW config file to handle the virtual server
inner-tunnel-cuesta (use sites-available/inner-tunnel as a base). On
this virtual server you need to configure mschap and ntlm_auth.


More information about the Freeradius-Users mailing list