Limitation of authenticating against AD

Dennis Xu dxu at
Wed Sep 3 18:26:33 CEST 2014

Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But  my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format. 


----- Original Message -----
From: "Eloy Paris" <peloy at>
To: dxu at, "FreeRadius users mailing list" <freeradius-users at>
Sent: Wednesday, September 3, 2014 12:01:26 PM
Subject: Re: Limitation of authenticating against AD

On 09/03/2014 11:52 AM, Dennis Xu wrote:

> Hello,
> I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
> Is the above link still up-to-date?

Take a look at:

You need to configure your FreeRADIUS server to use ntlm_auth precisely 
because FreeRADIUS does not have access to the cleartext passwords of 
Active Directory users.


Eloy Paris.-

More information about the Freeradius-Users mailing list