Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No

Alan DeKok aland at
Sun Feb 2 03:54:24 CET 2020

On Feb 1, 2020, at 9:41 PM, Richard Green < at> wrote:
> With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?

  Via the "users" file, or any database. 

> radtest appears to send the a  Cleartext-Password (actually an OTP token which has been accepted in the authorize section):

  No.  Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet.

  radtest prints out Cleartext-Password in order to show you that it's using the password.  But the actual authentication method is MS-CHAP.

> However the server component appears not to expose Cleartext-Password for my use. From raddebug:

  The server doesn't *see* the Cleartext-Password.  Because it's not in the packet.

> (3) Sun Feb  2 02:19:01 2020: Debug: Received Access-Request Id 76 from to length 129
> (3) Sun Feb  2 02:19:01 2020: Debug:   User-Name = "bob"

   Run "radiusd -X".  Not "-Xx", "-Xxxx", or anything else.  This recommendation is documented *everywhere*.

  If you want to use PAP authentication, then have radtest send a User-Password attribute.  And, don't send *both* User-Password and MS-CHAP in the same packet.

  Alan DeKok.

More information about the Freeradius-Users mailing list