FreeRADIUS not receiving password from WLC

Phil Mayers p.mayers at
Wed May 7 18:53:06 CEST 2014

On 07/05/14 16:33, Richard Long wrote:
> Hi all,
> I'm a bit stuck.  I've stood up a CentOS server with FreeRADIUS so I
> can authenticate against Active Directory using a Cisco Wireless
> Controller.  As you can see from the output below, I've got ntlm_auth
> and radtest working correctly, however, the wireless controller
> doesn't seem to be passing passwords to FreeRADIUS.  I very obviously
> got something wrong in my setup, but I can't figure out what.  I
> appreciate any help.

Few things for background, because terminology matters:

First, the wireless controller doesn't "send passwords" (unless you're 
doing web auth). It forwards the EAP traffic from the wireless client.

Second, the only valid EAP methods for WPA-Enterprise are those which 
generate keying material - typically, but not exclusively, TLS-based 
methods. In almost every case, the password is not available, and in the 
few cases it is, only *after* EAP has completed a TLS exchange.

Third, you are further limited by the intersection of the EAP methods 
your client base supports and your password store can authenticate.

See here for more information:

Looking at your debugging, the problem is that you've put the 
"ntlm_auth" module into authorize like this:

authorize {

That's not what you want. The (unfortunately named) "ntlm_auth" module 
checks username/password. As above, wireless clients don't send this - 
they speak one or more EAP methods. In any event, you don't want to put 
that module there; it would live in "authenticate" and you'd use an 
"Auth-Type" directive to direct to it, as described here:

Remove the "ntlm_auth" module from your config. What you actually want 
is to take the default config and:

  1. Edit "modules/mschap". Uncomment and put appropriate values for the 
"ntlm_auth" option of *that* module
  2. Start the server and test

More information about the Freeradius-Users mailing list