PAP and NT-hashed password

sb superabx at
Fri Jan 2 13:26:33 CET 2015

On Wed, Dec 31, 2014 at 3:34 PM, Alan DeKok <aland at>

> On Dec 30, 2014, at 10:58 AM, sb <superabx at> wrote:
> > Thank you, Alan! I will try to upgrade to 2.2.6.
>   That’s really the best solution.

Upgraded to 2.2.6, nothing changes.


# radiusd -v
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-unknown-linux-gnu, built
on Jan  2 2015 at 13:43:16

rad_recv: Access-Request packet from host port 32834, id=32, length=55
	User-Name = "abx"
	User-Password = "n***********W"
	NAS-IP-Address =
	NAS-Port = 0
# Executing section authorize from file
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} ->
[auth_log] 	expand:
-> /usr/local/var/log/radius/radacct/
[auth_log] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/
[auth_log] 	expand: %t -> Fri Jan  2 15:07:04 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "abx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++policy redundant {
[local] performing user authorization for abx
[local] 	expand: %{Stripped-User-Name} ->
[local] 	... expanding second conditional
[local] 	expand: %{User-Name} -> abx
[local] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx)
[local] 	expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net
  [local] ldap_get_conn: Checking Id: 0
  [local] ldap_get_conn: Got Id: 0
  [local] attempting LDAP reconnection
  [local] (re)connect to localhost:389, authentication 0
  [local] setting TLS CACert File to certs/
  [local] setting TLS CACert Directory to /etc/ssl/certs
  [local] setting TLS Cert File to certs/
  [local] setting TLS Key File to certs/
  [local] bind as cn=readuser,dc=ourcorp,dc=net/******* to localhost:389
  [local] waiting for bind result ...
  [local] Bind was successful
  [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
[local] checking if remote access for abx is allowed by dialupAccess
[local] Added User-Password = 1D*********************9B in check items
[local] looking for check items in directory...
  [local] sambaNtPassword -> NT-Password ==
  [local] sambaLmPassword -> LM-Password ==
[local] looking for reply items in directory...
  [local] radiusFramedIPAddress -> Framed-IP-Address =
[local] user abx authorized to use remote access
  [local] ldap_release_conn: Release Id: 0
+++[local] = ok
++} # policy redundant = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "n**************W"
[pap] Using clear text password "1D********************9B"
[pap] Passwords don't match
++[pap] = reject
+} # group PAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> abx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to port 32834
Waking up in 4.9 seconds.
Cleaning up request 0 ID 32 with timestamp +4
Ready to process requests.

I can not understand why is this:

[local] Added User-Password = 1D*********************9B in check items

There is nothing of User-Password in ldap.attrmap, why the radius adds it
from sambaLmPassword?
I can not put cleartext passwords in LDAP, so I have to work with NT-hashed
passwords only.
So, how to tell the radius that User-Password and Cleartext-Password are
empty and it has to operate with NT-Password?
I believe it should be smth simple that I forgot to do...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list