MSCHAP Machine/User Authentication with Windows

Tynan Young tynany at
Tue May 12 01:31:38 CEST 2015

On Mon, May 11, 2015 at 6:41 PM, Stefan Paetow <Stefan.Paetow at> wrote:
>>>> (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
>>>> (8) mschap :    --> --domain=in
> [snip]
>> Username = testuser
>> Domain = testdomain
> [snip]
>> I believe that debug is of an attempted machine authentication, which would
>> explain 'host/machine name' (ie host/
> Ok, then see my quote above... mschap believes that your domain is 'in'. You might want to adjust the ntlm_auth command-line to hardcode the domain name in, or you can use unlang to set the NT-Domain attribute to 'testdomain'. :-)
> That should make it happ(y|ier).
> Additionally, Ben's posted a bunch of settings that might be useful in Windows. His dialogs are in German, although that should not really be an issue.
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator

Awesome, manually setting the domain attribute to testdomain fixed
machine authentication. My NTLM line now looks like:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=testdomain

Thanks for the help.

More information about the Freeradius-Users mailing list