Problem with MSCHAP and Freeradius authentication

Alan DeKok aland at
Fri Jan 20 16:45:58 CET 2012

Dhiraj Gaur wrote:
> I have been trying to implement radius authetication server at my
> workplace. The idea is to have all wifi access points authenticate
> against a radius server.

  That is a common deployment, and should be easy to do.

> The radius server needs to pass authentication to a backend Active
> Directory server. I have been sucessful in authenticating wifi users
> against file based and SQL based authentication in radius. NTLM_AUTH
> using PAP also works fine, wherein plaintext password is sucessfully
> authenticated against the AD and I get an "Access-Accept". However when
> I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
> not working and I end up in a "Access-Reject".

  CHAP will *not* work with AD.  See my web site:

> Seems like that the
> ntlm_auth program is not parsing the received encrypted password hence
> the authetication fails. MSCHAP is a requirement as wifi clients at my
> place mostly have eap supplicant. (Read in freeradius documentation that
> eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
> same)

  You've misconfigured the server.  You have it trying to do ntlm_auth
using the User-Password, and then sending it an MS-CHAP authentication.
 There's no User-Password in MS-CHAP.

  Follow the instructions on my web site for configuring ntlm_auth:

  And then follow the other instructions for getting EAP to work.

> The freeradius logs for all the cases is listed below. Radius gurus
> please point me to the right direction as to make MS_CHAP authentication
> owrk over ntlm_auth or ldap(if possible).
> PS: I did all the testing using JRadius simulator.

  FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP.
 That should be all you need.

  Alan DeKok.

More information about the Freeradius-Users mailing list