Problem with ntlm_auth between freeradius 3.0 and Samba 4 AD

Alan DeKok aland at
Mon Jul 9 18:15:09 CEST 2018

On Jul 9, 2018, at 9:43 AM, Benjamin DUPALUT <benjamin.dupalut at> wrote:
> Im' now trying to set up 802.1x Wi-Fi authentication on Cisco Wi-Fi access
> point trough Cisco Wireless Controller.
> While local radtest works fine, when trying to authenticate via the Wi-Fi
> access point i get these errors :
> ...
>  mschap {
>  use_mppe = yes
>  require_encryption = no
>  require_strong = no
>  with_ntdomain_hack = yes
>   passchange {
>   }
>  allow_retry = yes
>  }

  Which isn't configured to use ntlm_auth. 

>  # Loading module "ntlm_auth" from file
> /etc/freeradius/3.0/mods-enabled/ntlm_auth
>  exec ntlm_auth {
>  wait = yes
>  program = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name} --password=%{User-Password}"
>  shell_escape = yes
>  }

  That works, if you set "Auth-Type := ntlm", and then only for User-Password.

  i.e. not for MSCHAP, and not for PEAP.

> *(7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password(7) mschap: WARNING: No Cleartext-Password configured.  Cannot
> create LM-Password(7) mschap: Creating challenge hash with username:
> dupalutb at <dupalutb at>(7) mschap: Client is using
> MS-CHAPv2(7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> authentication(7) mschap: ERROR: MS-CHAP2-Response is incorrect(7)
> [mschap] = reject(7)   } # authenticate = reject(7) eap: Sending EAP
> Failure (code 4) ID 8 length 4*

  Please don't edit the debug output.  Your mailer is reformatting the debug output.  That makes it harder to read.


  See the section titled "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"

  Follow the instructions in the page, and it *will* work.

  If you only read half of the documentation, it will only work half-way.

> but i don't understand why it doesn't accept the password provided by the
> Wireless controller.

  Because you didn't completely follow the documentation.  You only did part of it.

> Futhermore, i don't understand neither this message that worries me :
> *(7) WARNING: Outer and inner identities are the same.  User privacy is
> compromised.*
> Can you please help me find the source of these problems ?

  The outer user name is supposed to be either "anonymous", or "@domain", or "anonymous at domain".

  That ensures anyone who can see the RADIUS traffic can't tell which user is logging in.  The real user name is inside of the TLS tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list