Ntlm_auth vs. Cleartext-password

Óscar Remírez de Ganuza Satrústegui oscarrdg at unav.es
Wed Feb 20 16:01:18 CET 2013

Good afternoon everybody,

We have configured freeradius to authenticate against Active
Directory/Samba using ntlm_auth, following the instructions on:
Everything works as expected.

Right now on our production server we are using LDAP to store the user
credentials. We would like to achieve a smooth transition to the new
authentication method. So want to configure freeradius to authenticate with
ntlm_auth just in the cases when there is not ClearText-Password available,
but we do not know how to do it.

Using instructions from modules/mschap:

        # If ntlm_auth is configured below, then the mschap
        # module will call ntlm_auth for every MS-CHAP
        # authentication request.  If there is a cleartext
        # or NT hashed password available, you can set
        # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
        # and the mschap module will do the authentication itself,
        # without calling ntlm_auth.

We were able to *bypass* the ntlm_auth on some users/groups defining on the
users file the control item "MS-CHAP-Use-NTLM-Auth := No".

But is there a way to configure freeradius such that if Cleartext-Password
password is available it uses it, and otherwise it uses ntlm_auth to

Thank you so much for your help.


Oscar Remírez de Ganuza Satrústegui*
Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x803130
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130220/953f1dbe/attachment.html>

More information about the Freeradius-Users mailing list