AW: LDAP / mschap Error

Andreas Zwinzscher andreas.zwinzscher at
Thu Aug 25 12:17:18 CEST 2016

Hi alan,

thanks for the hint with "mschap:User-Name". I will try this.

What I'am wondering about: On my other freeradius setup (older version) everything works well. Were there some changes within the mschap - module that causes this problem?


-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [ at] Im Auftrag von Alan Buxey
Gesendet: Donnerstag, 25. August 2016 11:45
An: FreeRadius users mailing list <freeradius-users at>
Betreff: Re: LDAP / mschap Error


ignoring the object not found LDAP error...... (as obviously, if using local windows login names you may have issues with what their local name is and what your AD/LDAP names are...) your main problem is obviously here:

[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=CORNET\\Administrator
[mschap] Creating challenge hash with username: Administrator
[mschap]        expand: %{mschap:Challenge} -> 4adcd405e7337023
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4adcd405e7337023
[mschap]        expand: %{mschap:NT-Response} -> 47dddb601f337b40cbedc92fe89619468b70254dd2a7590e
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=47dddb601f337b40cbedc92fe89619468b70254dd2a7590e
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject

the output of debug is clearly showing you this..... so, as the RELAM wasnt hasnt been stripped therefore Stripped-User-Name is the same as User-Name.... and is something that either you need to verify that realm is your AD one... or, you need to handle this. 

it'll probably work if you simply use


instead of Stripped-User-Name or User-Name.....


List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list