Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No

Richard Green at
Mon Feb 3 01:53:43 CET 2020

Thank you, using the files mod sets the password nicely, however the MS-CHAP2-Response is reported to be incorrect, sorry I could not find any more detailed docs to help me use the module's inbuilt functionality.

(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Auth-Type mschap {
(0) multiotpmschap: Found Cleartext-Password, hashing to create NT-Password
(0) multiotpmschap: Found Cleartext-Password, hashing to create LM-Password
(0) multiotpmschap: Client is using MS-CHAPv1 with NT-Password
(0) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [multiotpmschap] = reject
(0)   } # Auth-Type mschap = reject

The full output from radiusd -X is at with the error report on line 780.



From: Freeradius-Users < at> on behalf of Alan DeKok <aland at>
Sent: Sunday, 2 February 2020 1:54 PM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No

On Feb 1, 2020, at 9:41 PM, Richard Green < at> wrote:
> With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?

  Via the "users" file, or any database.

> radtest appears to send the a  Cleartext-Password (actually an OTP token which has been accepted in the authorize section):

  No.  Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet.

  radtest prints out Cleartext-Password in order to show you that it's using the password.  But the actual authentication method is MS-CHAP.

> However the server component appears not to expose Cleartext-Password for my use. From raddebug:

  The server doesn't *see* the Cleartext-Password.  Because it's not in the packet.

> (3) Sun Feb  2 02:19:01 2020: Debug: Received Access-Request Id 76 from to length 129
> (3) Sun Feb  2 02:19:01 2020: Debug:   User-Name = "bob"

   Run "radiusd -X".  Not "-Xx", "-Xxxx", or anything else.  This recommendation is documented *everywhere*.

  If you want to use PAP authentication, then have radtest send a User-Password attribute.  And, don't send *both* User-Password and MS-CHAP in the same packet.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list