Freeradius3 with PEAP and LDAP

Alan DeKok aland at
Tue Aug 28 13:55:02 CEST 2018

On Aug 28, 2018, at 4:11 AM, Carsten Schulze <carsten.schulze at> wrote:
> I try to convert our freeradius2 setup to a new freeradius3 configuration.

  It's better to start with the default v3 configuration, and then gradually add pieces from the v2 config.  That way it starts off as working.  And, you can tell when it breaks, and what change broke it.

> A setup with TTLS  + PAP is working, but when I switch to PEAP I'll get the following output.
> Any idea, or a howto with a LDAP-Provider with NT-Hashes?

  The problem isn't LDAP or NT hashes.

> radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06
> ...
> (10) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
> (10) pap: No User-Password attribute in the request.  Cannot do PAP
> (10)       [pap] = noop
> (10)     } # authorize = updated
> (10)   ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

  For one, you didn't post the *full* debug output as suggested here:

  That would have let us know exactly what was going on.

  Without that, my best guess is that you deleted the "eap" module from the "inner-tunnel" virtual server.  Add it back (as per the default config), and it should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list