freeradius using linux user passwd

Matthew Newton mcn4 at
Tue Jul 9 11:18:43 CEST 2013


On Mon, Jul 08, 2013 at 03:10:31PM -0700, Julian Macassey wrote:
> 	I'm just trying to do a bog standard username and
> password for OS X and Linux users on laptops - Plus the
> ubiquitous smartphones of course. I have no Microsoft gear on the
> LAN.

Try adding the following to the *top* of your users file:

evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0

Then restart FR and try logging in again with the password 'pa55word'.

> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7 


your client is set to do PEAP/EAP-MSCHAPv2 - which is what most
things (including Windows) will do by default. It can't auth
against /etc/passwd, but it can if it knows the cleartext password
as shown above.

> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: evergreen
> [mschap] Told to do MS-CHAPv2 for evergreen with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect

This is the EAP-MSCHAPv2 bit (inside the PEAP inner tunnel)
telling you it's got no cleartext password or NTLM hash, so it
can't authenticate the user.

Given a cleartext password as above, you should be good to go.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list