Ms-Chap + NT-Password

Alan DeKok aland at
Tue Jan 8 19:05:28 CET 2019

On Jan 8, 2019, at 11:07 AM, Anton Kiryushkin <swood at> wrote:
> Now I read the documentation, but I still don't understand why server
> choose one method instead of others (I've read about attempts predict).

  In most cases, the *client* chooses the authentication method.  The server is just configured to allow many different methods.

> So,
> I have next config file and I try to understand why it's don't working:
> (Unfortunately, I don't understand the reason why it has working for
> mschapv2 and don't work for eap)

  Read the debug log for MSCHAPv2, and see how it's different from EAP.

> (291) eap: Peer sent packet with method EAP MD5 (4)
> (291) eap: Calling submodule eap_md5 to process data
> (291) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> authentication
> (291) eap: ERROR: Failed continuing EAP MD5 (4) session.  EAP sub-module
> failed
> (291) eap: Sending EAP Failure (code 4) ID 8 length 4
> (291) eap: Failed in EAP select
> (291)       [eap] = invalid
> (291)     } # authenticate = invalid
> (291)   Failed to authenticate the user
> (291)   Using Post-Auth-Type Reject
> (291)   Post-Auth-Type sub-section not found.  Ignoring.
> My question is why this client can't log in? I have correct md5-hash in a
> database which added like "0x06d9ded822ff50138cda74ee2e771082".

  The debug log *tells you* why it doesn't work.  See the text just above.  It tells you what's going wrong, and what the server needs.

> The second question is do I have a possibility to check which module has
> used: eap or mschap. I want to use a correct hash from the database in case
> mschapv2 modules has been called.

  Your best bet is to just use Cleartext-Password, and let the server figure out what to do.

  Alan DeKok.

More information about the Freeradius-Users mailing list