mschap with ntlm_auth and Active Directory

robert22 robert at
Thu Mar 3 07:04:51 CET 2011

I am trying to setup freeRadius to process requests from our Wireless
Controller. The controller uses the wireless devices MAC address as the
username, and a predefined password. These MAC addresses all excist in
Active Directory as user accounts, with the same password set. This works
fine with our current Windows 2003 Server but Im trying to get it going with

the mschap module line in MSCHAP for ntlm_auth is as such:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

the ntlm_auth module itself contains:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"

I havent changed anything to the users file except adding in a test local
user as part of the initial FreeRadius install guide, and uncommenting the
DEFAULT Auth-Type = ntlm_auth line for using the following to test:

root at FREERADIUS:/etc/freeradius# radtest    localhost 0 sharedsecret

which seems to work:

rad_recv: Access-Accept packet from host port 1812, id=217,

but when I set the Wireless controller to point to the FreeRadius server,
this is the debug log:

rad_recv: Access-Request packet from host port 32987, id=83,
        User-Name = "001E52805980"
        MS-CHAP-Challenge = 0x86acd2fc97136970
        MS-CHAP-Response =
        NAS-IP-Address =
        NAS-Port = 0
        NAS-Port-Type = Wireless-Other
        NAS-Identifier = "redlan1"
        Calling-Station-Id = "001E52805980"
        Called-Station-Id = "001F457E67A8"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "001E52805980", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} ->
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: %{mschap:NT-Domain} ->
[mschap]        ... expanding second conditional
[mschap]        expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} ->
[mschap]  mschap1: 86
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 001E52805980
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request


Hoping somone can point me in the right direction of where I might have
messed up, or what further readiing I might need to do?

Many Thanks


View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list