Freeradius with LDAP, PEAP MSCHAPv2

Robert Plestenjak robert.plestenjak at
Thu Mar 29 09:51:15 CEST 2018

In LDAP I have LM hashed passwords (LM-Password) and radtest with PAP auth metod is successful, but when I switch to MSCHAP it fails.

So the problem is probably that clients (radtest, ...) sends NTLM hashes (NT-Password)?

On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak at> wrote:
> I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords
> Version is 3.0.13 from CentOS 7 repository.
> Testing with radtest is successful:

  We don't need to see the output of radtest.  See

> When I test with Wifi (Cisco Meraki), it fails:

  Reading the debug output helps.  As the Wiki page shows, look for ERROR or WARNING.  It's that simple.
> ...
> (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub"
> (18) ldap: Waiting for search result...
> (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si"
> (18) ldap: Processing user attributes
> (18) ldap: control:Password-With-Header += 'XXX'

  Which should be your "known good" password.

  I presume you've read the debug output enough to see the password and edit it.  Why not keep reading it?

> ...
> (18) mschap: Found Cleartext-Password, hashing to create NT-Password
> (18) mschap: Found Cleartext-Password, hashing to create LM-Password
> (18) mschap: Creating challenge hash with username: robert_plestenjak
> (18) mschap: Client is using MS-CHAPv2
> (18) mschap: ERROR: MS-CHAP2-Response is incorrect

  That's pretty clear.

  You entered the wrong password on the client.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list