Sven Hartge sven at
Fri Jul 26 23:59:48 CEST 2019

On 26.07.19 21:34, J Kephart wrote:

> Let me see if I can be a little more clear.  I'm pretty sure that,
> reading the debug output, the problem is that the user password is not
> present in the packet that FR receives from the NAS.

MSCHAP is a Challenge-Response protcol, there is *no* password coming
from the NAS.

Everything the protocol does is contained in MS-CHAP-Challenge and

Both the client and the server need the cleartext-password (or the
NT/LM-Hash for MSCHAP) to be able to do the math for the handshake.

The server complains it has no Cleartext-Password or NT-Hash or LM-Hash
in the data it got from the database and thus rejects the client,
because there is nothing more it can do.

Solution: You need to have the users cleartext-password in your database.

And just in case the question comes up: no, it can't be hashed or
encrypted. If you want to do *any* challenge-response protocol like
MSCHAP, the server needs the cleartext-password, there is no
mathematical way around this.


More information about the Freeradius-Users mailing list