Yet Another PEAP-MSCHAPV2 problem

Alex Moen alexm at
Tue Sep 22 14:54:28 CEST 2015

On 09/21/2015 05:49 PM, Matthew Newton wrote:
>> So, I have switched (in the /etc/raddb/mods-available/ldap file) from:
>> 	control:Password-With-Header    += 'userPassword'
>> to:
>> 	control:Password-With-Header    += 'sambaNTPassword'
> Password-With-Header expects a {...} header at the start (see the
> man page for rlm_pap). So you can either use unlang to add the
> header on, or just update NT-Password instead, as in the ldap
> config.
> So in mods-enabled/ldap update {}, comment out
> control:Password-With-Header += 'userPassword', then
> uncomment
>    # control:NT-Password := 'ntPassword'
> and set it to
>    control:NT-Password := 'sambaNTPassword'

This fixed it.  Thanks so much for the help Matthew!  I would not have 
figured this out on my own!

Hopefully this can help someone else!

I've been working with radius and LDAP for years now.  Not these 
versions, of course, which are so much more refined and versatile.  But, 
these services are such that once you get them up and running, you 
rarely have to touch them again.  Like, in years.  Unless you're trying 
to do something new, which is when you are exposed to the new and 
improved versions.  Since they are so robust and well-made, you have to 
relearn everything.  It's quite a testament to the developers of these 
software packages, and I don't think they get enough credit or thanks. 
So, a huge THANK YOU to the developers for putting so much time and 
effort into this for us!!!


More information about the Freeradius-Users mailing list