Any way for ntlm_auth + winbind to not use ms-chap?

Matthew Newton mcn4 at
Thu Jun 16 23:36:42 CEST 2016

On Thu, Jun 16, 2016 at 11:51:09AM -0700, Mike Ely wrote:
> I'd like to use some other auth mechanism to pass the user/pass combination
> to the radius server and have it test there without having to go through the
> MS-CHAP challenge-response rigmorale. Main reason being getting Perl on the
> NAS side to manage all the MS-CHAP stuff appears to be a new problem to
> solve, somehow.
> How can this be done, and why shouldn't it be?

Not sure the question makes much sense. If you're doing MSCHAP
then there is a challenge/response by definition.

What "other auth mechanism" to pass the user/password to the
RADIUS server? That's RADIUS....

If you want to tell FreeRADIUS to do MSCHAP internally and not
call ntlm_auth then set control:MS-CHAP-Use-NTLM-Auth := No (see

Otherwise, sorry. I don't understand what you're asking.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list