Using existing NTLM hashes

Maarten freeradius-list at
Thu Sep 21 12:21:58 CEST 2017

Hi all,

Thanks Arran and Alan for your responses. I'll see if I can get Freeradius to bind to LDAP as the user that is authenticating, and depending on the result, succesfully auithenticate the user.

From: Freeradius-Users < at> on behalf of Arran Cudbard-Bell <a.cudbardb at>
Sent: Thursday, September 21, 2017 10:47 AM
To: FreeRadius users mailing list
Subject: Re: Using existing NTLM hashes

rlm_ldap no longer strips off password headers (as it did in v2).

{ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash.

You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server.

rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list.

We should probably move this out into a separate module in v4, but that's the way it's done for v3.


More information about the Freeradius-Users mailing list