Alan DeKok aland at
Wed Dec 1 16:18:53 CET 2021

On Dec 1, 2021, at 9:48 AM, Diego Forcella <diego.forcella at> wrote:
> I tried radtest both with -t chap and with -t mschap
> With -t chap I view CHAP-Password that is encrypted but with -t mschap I have MS-CHAP-Password that is clear-text and is the same of Cleartext-password , it's not possible mapping MS-CHAP-Password to Cleartext-Password?

  Read the debug output on the *server*.  The MS-CHAP-Password attribute is used internally by radclient.  It's not sent in a RADIUS packet.

  If there was a way to do it, I would have told you.  There's no need to ask the same question over and over.  The answer won't change.

> Excuse if maybe this is a stupid question for you but I'm a newbie, where you suggest that I can start to study this feature/configuration?

  There's a ton of standards documents which explain how CHAP and MS-CHAP work.  But there's no point in reading them.  They'll give you technical information about how the protocols work.  They won't help make CHAP / MS-CHAP work with Google LDAP.

  CHAP and MS-CHAP don't work with Google LDAP.  That's it.  It's that simple.  There's nothing more to do.  The reasons are complex, and buried inside of 40 page standards documents.

  Alan DeKok.

More information about the Freeradius-Users mailing list