Ms-Chap + NT-Password

Alan DeKok aland at
Fri Dec 21 01:13:12 CET 2018

On Dec 20, 2018, at 6:18 PM, Anton Kiryushkin <swood at> wrote:
> You're right. My fault. Please see log below:

> ...
> (9) sql-wifi: Conditional check items matched, merging assignment check
> items
> (9) sql-wifi:   NT-Password :=
> 0x6336623331333036323736373866653636626166393538616561356566363138

  Again... that's all ASCII data.  You've taken the hex form of the string:


  And instead of just putting this into SQL:

	NT-Password := 0xc6b3130627678fe66baf958aea5ef618

  You've converted the ASCII representation to hex again... and then set that as the NT password.

  Don't do that.

> ...
> (9) eap_mschapv2:   Auth-Type MS-CHAP {
> (9) mschap: WARNING: NT-Password found but incorrect length, expected 16
> bytes got 12 bytes.  Authentication may fail

  And the NT password is mangled, as noted above.

  Why are you converting the hex string to ASCII *twice*?  Just take the output of smbencrypt, put a "0x" in front of it, and set it as NT-Password in the database:


$ smbencrypt hello
LM Hash			 	NT Hash
--------------------------------	--------------------------------
FDA95FBECA288D44AAD3B435B51404EE	066DDFD4EF0E9CD7C256FE77191EF43C

  And then:

	NT-Password := 0x066DDFD4EF0E9CD7C256FE77191EF43C

  You *don't* have to hex-encode the hex output of smbencrypt.

  Alan DeKok.

More information about the Freeradius-Users mailing list