Sudden User Authentication Rejection as a result Compatibility - error

Alan DeKok aland at
Tue Feb 24 16:40:36 CET 2015

On Feb 24, 2015, at 8:47 AM, Clement Ogedengbe <c.ogedengbe at> wrote:
> I have now tested the server with eapol_test (without certificate validation) and it failed. I tested  using the eaptest config below (PEAP & TTLS) : (I have masked out userid & password).  

  That’s bad.

> EAP-MSCHAPV2: Received success
> EAP-MSCHAPV2: Invalid authenticator response in success request

  That’s the problem.

  Why does it happen?

> [mschap_ad] Creating challenge hash with username: uwjrstest
> [mschap_ad] 	expand: --challenge=%{mschap_ad:Challenge:-00} -> --challenge=eb2123a7a496e886
> [mschap_ad] 	expand: --nt-response=%{mschap_ad:NT-Response:-00} -> --nt-response=4619af06b81d1426e5c7921fe751e5f46b7ee3456b3b0c7f
> Exec-Program output: NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD 
> Exec-Program-Wait: plaintext: NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD 

  ntlm_auth is giving the wrong response to FreeRADIUS.

  i.e. the problem isn’t FreeRADIUS.

  Re-start Samba, winbindd, etc.  Then try it again.  It should work.

  If it doesn’t, upgrade Samba to a version that works.  Or (sad to say) downgrade it to a version that works.

  Alan DeKok.

More information about the Freeradius-Users mailing list