mschap module vs ntlm_auth module

Phil Mayers p.mayers at
Wed Mar 6 17:12:16 CET 2013

On 06/03/13 15:31, Óscar Remírez de Ganuza Satrústegui wrote:
> Good afternoon,
> As I said some days ago in this list, we have configured our freeradius
> server to use ntlm_auth for autentication following the document:

If you read that page carefully, you'll see it's talking about two 
different modules for two different purposes.


  1. It first talks about creating an instance of the "exec" module 
called "ntlm_auth". This processes PAP requests, and is tested by 
forcing Auth-Type

  2. It then talks about throwing that config away (remove the 
Auth-Type, stop using that module) and now configuring the "mschap" 
module, by setting the "ntlm_auth" helper.

It might be a bit confusing that "ntlm_auth" is used twice there - once 
as the name of an "exec" instance, once as a config variable for the 
"mschap" module, but they're different use-cases.

> Everything is working as expected. Thanks!
> But I have some doubts about that documentation.
> In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list
> ntlm_auth in the authenticate sections of each the
> raddb/sites-enabled/default file, and of the
> raddb/sites-enabled/inner-tunnel file."
> I have made some tests and it seems that is not needed to add it, as

Correct, you don't need it.

More information about the Freeradius-Users mailing list