mschap: eapol_test peap/mschap fails

Alan DeKok aland at
Tue Feb 26 23:03:12 CET 2019

On Feb 26, 2019, at 4:36 PM, Peter Kain <peter.kain at> wrote:
> I've been tasked with setting up a freeRADIUS (FR) server in order to
> join eduroam under the following conditions: authentication against
> Active Directory where we have two domains, the realm passed doesn't
> indicate the AD domain, and I can only join one domain "domainA", but
> there's trust between the domains.
>   realm = user at
> I've built a CentOS 7 server with FR 3.0.13 and winbind 4.8.3. Joined
> the server to the first domain and I'm able to authenticate users
> against both domains using the ntlm_auth command.

  Then those ntlm_auth commands should work for PEAP, too.

> As a first step, following the posted instructions "Configuring
> Authentication with Active Directory" I edited the mschap to use
> ntlm_auth setting "--domain=domainA".  And I've set radiusd to run as
> root. Using the eapol_test program I'm able to authenticate as userA
> using both "-c ttls-mschap.conf" & "-c peap-mschap.conf" and I'm able
> to authenticate my iPad to our wireless . So far everything works as
> expected when setup for a single domain.

  That's good.

> In order to authenticate to both AD domains I followed a forum posting
> "PEAP and multiple domains" and created two additional domain
> instances for mschap
> in the radius.conf and updated both the default and inner-tunnels.

  That might work.  It might also be too complex.  But whatever...

> raddb/radius.conf
>  ...
>  modules {

   We don't need to see the configuration files.  The message you get when you join the list says this.

> In the "authorize section {"  if mschap isn't commented out then it
> sets  "Auth-Type = mschap".  This seems contrary to the documentation
> within the file. Again running FR 3.0.13.
> Commented out mschap adding "mschap.domainA".  This appears to set
> "Auth-Type = MS-CHAP".  I'm not sure how the "Auth-Type" is determine,
> why one configuration results in "Auth-Type = mschap" and another
> "Auth-Type = MS-CHAP".

  They're just synonyms. 

>        Auth-Type MS-CHAP {
>                # mschap
>                group {
>                 mschap.domainA {
>                  reject = 1
>                  ok = return
>                  }
>                  mschap.domainB {
>                  ok = return

  You really shouldn't do that.  It is *very* bad practice to try to authenticate the user, and then if that fails, to try a different authentication method.

  The mschap module does cryptographic calculations.  If the user can't be authenticated, it adds an MS-CHAP rejection to the packet.  You then can't authenticate the user a second time....

  You should instead figure out which users are which, such as by checking the realm.  Then for realm A do MSCHAP A, for realm B do MSCHAP B.

> My apologies for not posting the "radius -X" for the failed
> eapol_test. There are restrictions at my site about posting server
> logs, I'm working on it.

  If we don't know what's going wrong, we can't really help you.

> Questions:
> 1)  Does it look like I've made any glaring mistakes or am I on the
> correct path?

  Mostly correct.  But you shouldn't run *two* mschap authentications.  Only one.  And, only the *right* one.

> 2) What can I do to make peap/mschap work under this circumstances?

  Since we don't know what's going wrong, I have no idea.

  Alan DeKok.

More information about the Freeradius-Users mailing list