mschap module vs ntlm_auth module

Óscar Remírez de Ganuza Satrústegui oscarrdg at
Wed Mar 6 16:31:39 CET 2013

Good afternoon,

As I said some days ago in this list, we have configured our freeradius
server to use ntlm_auth for autentication following the document:

Everything is working as expected. Thanks!

But I have some doubts about that documentation.
In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list
ntlm_auth in the authenticate sections of each the
raddb/sites-enabled/default file, and of the
raddb/sites-enabled/inner-tunnel file."

I have made some tests and it seems that is not needed to add it, as
freeradius is using mschap module to autenticate.

+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap]     expand: %{Stripped-User-Name} -> oscarrdg
[mschap]     expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
[mschap]  mschap1: b9
[mschap]     expand: %{mschap:Challenge} -> b9415739df3a9c1b
[mschap]     expand: --challenge=%{%{mschap:Challenge}:-00} ->
[mschap]     expand: %{mschap:NT-Response} ->
[mschap]     expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
Exec-Program output: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A
Exec-Program-Wait: plaintext: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok

Is there anything else to take into account considering adding that section
to the virtual servers configuration or not? Or is it just needed when
Auth-Type is set to ntlm_auth manually in order to test the system?

I usually prefer to let config files as similar to the default files as

Thank you so much for your help.


Oscar Remírez de Ganuza Satrústegui*
Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x803130
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list