PAP problem?

Phil Mayers p.mayers at
Thu Mar 3 13:06:04 CET 2011

On 03/03/11 11:52, Matt Langthorpe wrote:
> Hi list,
> I'm pretty sure this issue is straight forward but I've searched the
> list and cant come up with an answer.
> I'm usuing freeradius 2.19 on cent OS 5.5
> Im trying to auth users from a NAC box (Bradford campus manager)
> against an AD domain using freeradius.
> All works fine when I point an AP at freeradius,  but things fail
> when using our NAC  to forward requests to FreeRadius.   I suspect
> the problem is that the NAC is trying to use PAP, but im not sure how
> to really resolve the problem.

PAP requires a password or password hash from a database/ldap, or an 
external "oracle" (script or service) that checks the password.

Your LDAP isn't telling FreeRadius the password:

[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly? when the "pap" module runs:

[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user Failed to authenticate the user.

If you're using AD, the LDAP server will not (cannot) give you a 
password or password hash. You'll therefore need to use Samba & the 
"ntlm_auth" helper binary (in "plaintext" mode, not MSCHAP) to do this.

In recent versions of FreeRadius there is a file defining an "exec" module:


...edit the "MYDOMAIN" in that file to the correct value, and you can 
use it like this:

authorize {
   # everything else, then right at the end
   update control {
     # If Auth-Type isn't already set (i.e. "=" versus ":=") set it
     Auth-Type = ntlm_auth
authenticate {
   Auth-Type ntlm_auth {

Obviously Samba & Winbind will need to be configured, installed and the 
radius server joined to the domain.

More information about the Freeradius-Users mailing list