Problem with MSCHAP and Freeradius authentication

Fajar A. Nugraha list at
Sat Jan 21 15:14:28 CET 2012

On Sat, Jan 21, 2012 at 8:58 PM, Dhiraj Gaur <dhiraj.gaur at> wrote:
> rad_recv: Access-Request packet from host port 54347, id=2, length=57
>         User-Name = "01546"
>         User-Password = "xxxxxxxx"

The presence of User-Password means you're still using pap.

> Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]    expand: --username=%{mschap:User-Name} -> --username=01546
> Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]    expand: --password=%{User-Password} -> --password=xxxxxxxxx

> So means that ntlm_auth is still wokring good bt some access control triggers the Access-Reject.
> I am still directionless as to where should I head next, I mean how to make tht EAP client and MSCHAP authentication work. Would appreciate if I could get some handy quick and dirty list of works to do next OR some URL/mailing list entry etc which explains the same.

Did you REALLY read the replies sent to this list?
Did you REALLY read Alan's page,
to the end?

If yes, you'd know that:
- radtest can send mschap request as well (see 'radtest -h')
- Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
contains detailed instruction on how to make FR works with AD and pap.
If you can't get it to work, that means you're doing something wrong.
Probably editing some entries you shouldn't, since your ntlm_auth
result is OK (which means samba + AD part is working correctly). It's
perfectly fine to be creative and edit the config file as you see fit,
but ONLY if you know what you're doing. If you're given a recipe, and
choose to stray from it, and messed up, don't blame the guy who
created the recipe.
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to
use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
your question, but ONLY if you already got pap working properly.


More information about the Freeradius-Users mailing list