PAP and NT-hashed password

Alan DeKok aland at
Tue Dec 30 16:00:53 CET 2014

On Dec 30, 2014, at 8:50 AM, sb <superabx at> wrote:
> freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
> Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production.

  You shouldn’t need to upgrade.

> Full output of freeradius -X after command
>   [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
> [local] checking if remote access for abx is allowed by dialupAccess
> [local] Added User-Password = 1D*************************************9B in check items

  And… that’s the issue.  You’ve configured it to get the User-Password from LDAP.

> [local] No default NMAS login sequence
> [local] looking for check items in directory...
>   [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42

  That means it’s not using the NT-Password.  

> Found Auth-Type = PAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"               !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  It helps to READ these messages and fix the problem.  If you had done that, it would have worked.

  Alan DeKok.

More information about the Freeradius-Users mailing list