MS-CHAPv2 not working

Alan DeKok aland at
Wed May 1 14:50:58 CEST 2019

On Apr 30, 2019, at 7:36 PM, Matthew McTague via Freeradius-Users <freeradius-users at> wrote:
> Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS implementation we've built?

  You edited the configuration and broke it.  Don't do that.

> I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP.
> The issue only occurs when a realm is added to the username (on the RADIUS client). As I understand, as nostrip is not entered in the relevant realm block in /etc/raddb/proxy.conf, this should be stripped.

  The MS-CHAP calculations are done with the User-Name.  If you mangle the User-Name, the MS-CHAP calculations will be wrong.

> radiusd -X output is at

  Just post it here.  That's what the documentation says to do.

> Information and passwords have been changed / sanitized.

	• rad_recv: Access-Request packet from host port 60421, id=170, length=278
	•     Service-Type = Framed-User
	•     Framed-Protocol = PPP
	•     NAS-Port = 15732821
	•     NAS-Port-Type = Ethernet
	•     User-Name = "testuser at"

  This is the real User-Name.

	• [preprocess]    expand: %{User-Name} -> testuser at
	• [preprocess]   hints: Matched DEFAULT at 36
	• [preprocess]    expand: %{1} -> testuser

  Then you mangle it, for reasons unexplained.

	• [mschap] Creating challenge hash with username: testuser

  Which is not the correct User-Name.

	• [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password
	• [mschap] FAILED: MS-CHAP2-Response is incorrect

  And MS-CHAP fails.

  Don't re-write the User-Name.  If you need to support realms, the "realms" module does this already.  And, it does it in a way that *doesn't* break everything.

  Delete the "hints" configuration which re-writes the User-Name.

  Add in "" as a local realm to proxy.conf.

  It *will* work.

  Alan DeKok.

More information about the Freeradius-Users mailing list