freeradius sql MD5-Password pap fails

Jan-Christoph Fuchs jcfuchs at
Thu Sep 29 17:52:30 CEST 2016

Hello Adam, Brian,

thanks for your fast reply,
The only things that interessts me are hashed passwords in the database to keep my ass free and dynamic vlan to resolve the traffic. Wireless security doesnt matter for me.

I have changed radcheck from md5-passowrd to NT-Password and it works for IOS, MacOS and Android. I have also tried Win7 with no success. Now i am downloading Win 10 for the next test.

Can you please tell me whats the background to NT-Password, what do I have to configure or install in Win 7 to make it work.
Does it work with Win8, Win10 without any config/tools?

What are the advantages/disadvantages in the solution from Adam and Brien? 

Whats the role of the suplicant (Accesspoint) Do I have to note something special?

Best regards

> Am 29.09.2016 um 16:15 schrieb Brian Candler <b.candler at>:
> On 29/09/2016 12:32, Jan-Christoph Fuchs wrote: 
>> No I have changed the Database table radcheck to store MD5-Password. Tests with radtest works, but livetest will be rejected. 
>> I really dont know much about protocolls (pap, chap, eap and so on) Debigging freeradius told me that radtest uses pap 
> You can use "radtest -t mschap ...." to check with MSCHAP authentication. 
> > [eap] processing type mschapv2 
> It looks like your wireless clients are using PEAPv0, which is a TLS tunnel on the outside and MSCHAP on the inside. This is the "normal" way of doing wireless authenticate. 
> However, you cannot authenticate MSCHAP with an MD5-hashed password. You need either the cleartext password, or the NT LAN Manager password hash. 

More information about the Freeradius-Users mailing list