question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Alan DeKok aland at
Fri Oct 30 13:57:07 CET 2015

On Oct 30, 2015, at 8:54 AM, Thomas Stather <Thomas.Stather at> wrote:
> I tried to set
> password_attribute to "sambaNTPassword" but the error is still the same.

  Post the *full* debug.

> As we have the hashes in our LDAP it seems that i have to switch to "ntlm_auth" module

  No.  FreeRADIUS can get the hashes directly from LDAP.

> radtest -t mschap tstather <my password> 0 <shared secret>
> it works, but connecting via WLAN fails.
> (8) mschap:    --> --nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
> (8) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'

  Which seems pretty straightforward.

> I think the problem comes from the "Mschap:User-Name" variable which holds the full username, i.e. "tstather at"
> How can i change the configuration so that the username is the username without our realm, in this case "tstather"?

  Don't.  Fix it so that FreeRADIUS gets the passwords from LDAP.  It will be simpler, faster, and easier to maintain.

  Alan DeKok.

More information about the Freeradius-Users mailing list