using userPassword instead sambaNTPassword

Nicolás Guerra nicoguerrarocha at
Mon Sep 22 17:08:23 CEST 2014

thank you for your quick and clear answer.
between lines:
> ------------------------------
> Message: 3
> Date: Sun, 21 Sep 2014 02:33:01 +0200
> From: Sven Hartge <sven at>
> To: freeradius-users at
> Subject: Re: using userPassword instead sambaNTPassword
> Message-ID: <541E1CBD.4050604 at>
> Content-Type: text/plain; charset="windows-1252"
> On 19.09.2014 20:26, Nicol?s Guerra wrote:
>> please forgive my ignorance, I'm new in freeRADIUS, I'm just trying to
>> make it work as I'd been asked (users should authenticate with the
>> userPassword attr).
> You can't.
> Unless the userPassword attributed stores the password in plain text, it
> is mathematically impossible to get this to work with MS-CHAPv2. And by
> saying "impossible" I mean "impossible". It will never work. It can
> never work. Stop trying to get it to work.
thank you for this advised ;-)
> You have some options:
> a) Store the password also in a different attribute in plain text. Use
> that instead of the userPassword attribute for MS-CHAPv2.
this is no the idea. plain text passwords are not secure in this working 
> b) Store the password also in the sambaNTPassword attribute, hashed in
> the format it needs to be.
it does work this way, but the idea of using userPassword, is not depend 
of a samba user, or samba.
> c) Don't use MS-CHAPv2 but PAP. This will not work with any Windows
> prior to Windows 8. If you need to support Windows XP/Vista/7 without
> additional tools, this is no option for you.
I liked this one, I'll try PAP, just one question, how about macOS? any 
problem with MAC?
I don't care too much for oldest windows, in my job almost every windows 
is up to 8, or 8.1 and Linux works like a charm :-)
> Gr??e,
> Sven.

More information about the Freeradius-Users mailing list