ntlm_auth not respected

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 22 00:05:56 CEST 2013

On 21/08/2013 13:55, Chris Parker wrote:
> Thank you Phil! That resolved my first steps, and I figured there was
> something like that. I have poured over deployingfreeradius.com, but
> for the life of me I could not find anything of assistance for my set
> up.

Yeah... to be honest, I think I've just confused matters.

> I have enabled the ntlm_auth line in modules/mschap but no password
> is sent to ntlm_auth to be checked. So the fact that it's failing
> makes sense, since there's no password being read in and thus it
> fails authorize. So this is just escaping me on how to get the
> password into ntlm_auth via MSCHAP. On top of that, when my access
> point succeeds against the users file, I suspect it's doing EAP but
> the logs never say "I have detected EAP, setting EAP"

I see a lot of confusion in that paragraph.

In brief: RADIUS supports multiple authentication algorithms, and the 
client chooses the algorithm.

"modules/ntlm_auth" can only handle PAP, which sends a username & password.

"modules/mschap" can handle MSCHAP, which sends a challenge/response 
based on the password

"eap" handles EAP, and then calls other modules to handle what runs 
inside the EAP tunnel.

You're getting confused because you seem to be trying to configure 
"modules/ntlm_auth" to handle MSCHAP, which won't work. MSCHAP doesn't 
send the password to the server; just a one-time function of it.

My advice - go back to the default configs, and ignore 
"modules/ntlm_auth". It's not really intended for use as-is; it's a 
sample config for people to build on if the have advanced knowledge of 
the server.

Re-read the stuff on deployingradius.com - if you're trying to do 
WPA-Enterprise (aka 802.1x) then it is definitive. If you're trying to 
do something else, describe what, and show a *full* debug of a client 
trying and failing.

More information about the Freeradius-Users mailing list