Yet Another PEAP-MSCHAPV2 problem

Matthew Newton mcn4 at
Mon Sep 21 23:39:27 CEST 2015

On Mon, Sep 21, 2015 at 04:18:32PM -0500, Alex Moen wrote:
> I have multiple directories on that server.  My basedn was too
> broad, and I was getting an answer from a different directory tree
> than I thought.


> Now I just have to figure out why I can't authenticate.  I know one
> of the differences between the "branches" of the directory tree, is
> that the incorrect one is using Crypt passwords, and the correct one
> is using SSHA passwords.  Seems that the SSHA passwords are not
> working while the Crypt passwords do.

It's impossible to authenticate MSCHAP with Crypt or SSHA.

Your first e-mail had this:

> (29) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (29) ldap:    --> (uid=alexm)
> (29) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
> (29) ldap: Waiting for search result...
> (29) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
> (29) ldap: Processing user attributes
> (29) ldap:   control:Password-With-Header += 'ose55m1'

So it must have been getting a plain text password.

The next e-mail had:

> # debio at, ndtel, ndtc
> dn: uid=debio at,ou=ndtel,o=ndtc
> uid: debio at
> sambaAcctFlags: [U]
> sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE

so there you've got userPassword (I presume plaintext) and
sambaNTPassword, which is NTLM and can be used for MSCHAPv2.
Nothing else will work.

What does the debug output look like now? What attribute is the
ldap module looking for to get the password? Is there a NTLM or
plaintext password in the record you are using?


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list