AW: LDAP / mschap Error

Andreas Zwinzscher andreas.zwinzscher at
Thu Aug 25 15:06:32 CEST 2016

I have just started the backup image of the freeradius I have running there and only changed domain-related settings to test it within my domain here.

radtest -t mschap username password localhost 0 testing123  - that works. 

radtest -t mschap DOMAIN//username password localhost 0 testing123 - does not work. But the similar test went ok on the other domain. 

I then tried to use mschap:User-Name within die mschap-Module.

If do the same tests I got the following results:

First radtest: successful

# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap]        expand: %{mschap:User-Name} -> andreas
[mschap]        expand: --username=%{%{mschap:User-Name}:-%{%{mschap:User-Name}:-None}} -> --username=andreas
[mschap]  mschap1: 6e
[mschap]        expand: %{mschap:Challenge} -> 6e675028a7b86d2b
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=6e675028a7b86d2b
[mschap]        expand: %{mschap:NT-Response} -> 2cc24f730d5712e709f82ffea1b52a97dbbfa18dba2397f0
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=2cc24f730d5712e709f82ffea1b52a97dbbfa18dba2397f0
Exec output: NT_KEY: 98C1AA64F940C56ACE56C8ED4180CD12
Exec plaintext: NT_KEY: 98C1AA64F940C56ACE56C8ED4180CD12
[mschap] Exec: program returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok

Second radtest: failed

# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap]        expand: %{mschap:User-Name} -> BOD//andreas
[mschap]        expand: --username=%{%{mschap:User-Name}:-%{%{mschap:User-Name}:-None}} -> --username=BOD//andreas
[mschap]  mschap1: 5a
[mschap]        expand: %{mschap:Challenge} -> 5a8ba3f949317ff7
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=5a8ba3f949317ff7
[mschap]        expand: %{mschap:NT-Response} -> 4e9fb02ee0b213c62a0cb02d393fba46bd2587602625ff2d
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=4e9fb02ee0b213c62a0cb02d393fba46bd2587602625ff2d
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap] Exec: program returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] = reject
+} # group MS-CHAP = reject
Failed to authenticate the user.

In the startup-settings of the freeradius I found the following lines for mschapv2 (which is used by windows):

Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no

Is there a option to enable the ntdomain-hack? Where can I find this line? It seems not to be /etc/freeradius/modules/mschap

-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [ at] Im Auftrag von Matthew Newton
Gesendet: Donnerstag, 25. August 2016 12:37
An: FreeRadius users mailing list <freeradius-users at>
Betreff: Re: LDAP / mschap Error

On Thu, Aug 25, 2016 at 10:17:18AM +0000, Andreas Zwinzscher wrote:
> What I'am wondering about: On my other freeradius setup (older
> version) everything works well. Were there some changes within the 
> mschap - module that causes this problem?

Run FreeRADIUS in debug mode on the old server and see what ntlm_auth command it runs.

Compare with the same on the new server to see if it runs the same ntlm_auth command.

If different, run the ntlm_auth command from the old server on the new server and see if you get a successful authentication.

If so, fix up the FreeRADIUS config on the new server to use the same ntlm_auth command as the old server.

Otherwise I'd check the Samba config and domain join is all the same and working correctly.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list