PAP and NT-hashed password

sb superabx at
Tue Dec 30 14:50:58 CET 2014

freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built
on Feb 24 2014 at 15:16:50

Rather old one, but it is not a new system, I just have to add this
feature. It the upgrade is needed, it's ok, but it will take some time to
stop the production.

Full output of freeradius -X after command

radtest -t pap abx n*************W localhost 0 secret


Ready to process requests.
rad_recv: Access-Request packet from host port 51020, id=47,
    User-Name = "abx"
    User-Password = "n*************W"
    NAS-IP-Address =
    NAS-Port = 0
# Executing section authorize from file
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/
[auth_log]     expand: %t -> Tue Dec 30 16:30:56 2014
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "abx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++- entering policy redundant {...}
[local] performing user authorization for abx
[local]     expand: %{Stripped-User-Name} ->
[local]     ... expanding second conditional
[local]     expand: %{User-Name} -> abx
[local]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[local]     expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net
  [local] ldap_get_conn: Checking Id: 0
  [local] ldap_get_conn: Got Id: 0
  [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
[local] checking if remote access for abx is allowed by dialupAccess
[local] Added User-Password = 1D*************************************9B in
check items
[local] No default NMAS login sequence
[local] looking for check items in directory...
  [local] sambaNtPassword -> NT-Password ==
  [local] sambaLmPassword -> LM-Password ==
[local] looking for reply items in directory...
  [local] radiusFramedIPAddress -> Framed-IP-Address =
[local] user abx authorized to use remote access
  [local] ldap_release_conn: Release Id: 0
+++[local] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
!!!    Replacing User-Password in config items with Cleartext-Password.
!!! Please update your configuration so that the "known good"
!!! clear text password is in Cleartext-Password, and not in User-Password.
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "n****************W"
[pap] Using clear text password "1D********************************9B"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[abx/n***********************W] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> abx
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 47 to port 51020
Waking up in 4.9 seconds.
Cleaning up request 2 ID 47 with timestamp +66
Ready to process requests.

I can guess the problem is here
[local] Added User-Password = 1D*************************************9B in
check items

It should be NT-Password, not User-Password, right?
But how to fix it...

On Tue, Dec 30, 2014 at 3:13 PM, Alan DeKok <aland at>

> On Dec 30, 2014, at 4:46 AM, sb <superabx at> wrote:
> > I'm trying to authenticate users from LDAP with FreeRadius by PAP
> protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just
> have to do it.
>   It works.
> > When I do
> >
> > radtest -t pap ....
> >
> > I see from freeradius -X:
> >
> > [pap] login attempt with password "n*******W"
> > [pap] Using clear text password "1D******************************9B”
>   No, that is not ALL of what you see.  It’s an edited portion.
>   When we say we need the debug output, we don’t mean we want random lines
> from part of the debug output.  We want ALL of the debug output.  There may
> be something important in the REST of the debug output.  We may need that
> piece to solve the problem.
>   By editing the debug output, you’ve made it difficult for us to help you.
>   And which version are you running?  That may help, too.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list