how to limit the repeating ldap lookups

Phil Mayers p.mayers at
Wed Aug 28 17:22:36 CEST 2013

On 28/08/13 15:46, Arran Cudbard-Bell wrote:

> OK. Just wondering if you could really get it down to a single
> lookup, IIRC you needed the 'known good' NT-Password data for a
> couple of rounds of MSCHAPv2?

Nope, just one. The MSCHAP challenge & response arrive at you, you
validate them and in turn generate the response2.

You might be thinking of the first pass in EAP-MSCHAP, where the client 
sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's 
stateless - just a random number. Likewise, the 3rd pass MSCHAP 
success/fail packet is stateless.

More information about the Freeradius-Users mailing list