FreeRadius + OpenLDAP + MSCHAP2

Matthew Newton mcn4 at
Fri Feb 3 11:35:58 CET 2017

On Fri, Feb 03, 2017 at 08:59:12AM +0000, SolidSystems | Alex Grigorescu wrote:
> But the goal is to be able to do user logins using the existing
> paswords without installing any 3rd party software on the
> clients (which is an impossible task).
> Is there a way to make FreeRadius authenticate the users against
> OpenLDAP without having ClearText or NT Hash stored passwords?

No, MSCHAPv2 can only work with NT hash or cleartext passwords.
The limitation is the protocols, not FreeRADIUS.


Your only option with Windows (8 or newer) is to use EAP-TTLS/PAP.
But Windows 7 can't do that without a 3rd party supplicant

Or, as you've found, either rehash all the passwords, or go one
step better and use EAP-TLS with certificates.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list