Yet Another PEAP-MSCHAPV2 problem

Alex Moen alexm at
Tue Sep 22 00:06:29 CEST 2015

Hi Alan,

Yeah, I figured that out once I found that I was barking up the wrong... 
um... branch.  I have modified my config to look for the full 
user at domain, as it is in our UIDs.

Thanks for the link, I will read through that.  Half the battle is 
finding the proper information.  I am changing to use the Samba NT 
Password field, since I'm using MSCHAPv2 and this is the only field 
(other than a cleartext password field) that will work.  Still running 
into issues, though, and now it's quitting time...



On 09/21/2015 04:55 PM, A.L.M.Buxey at wrote:
> Hi,
>> of the differences between the "branches" of the directory tree, is
>> that the incorrect one is using Crypt passwords, and the correct one
>> is using SSHA passwords.  Seems that the SSHA passwords are not
>> working while the Crypt passwords do.
> well, as others have pointed out, theres an issue with the format of
> the name too.  uid=xxxxx must match, you cant look for uid=user and
> expect uid=user at realm to match  - so you may want to vary your ldap
> query based on the username - perhaps do a user-name check if theres
> a realm thats not handled properly?
> how does your LDAP server present the password? LDAP is not an authentication
> system, its an 'oracle' of values - so you may need to tell FreeRADIUS what
> format the reply value is - read the LDAP and FreeRADIUS password format docs
> eg
> alan
> -
> List info/subscribe/unsubscribe? See

Alex Moen
North Dakota Telephone Company

More information about the Freeradius-Users mailing list