How to Integrate NAS MSCHAP x FreeRadius

Paulo Roberto Tomasi pztomasi at
Wed Jul 14 23:40:56 CEST 2021


I'm trying to configure FreeRadius to control Mikrotik logins (Winbox, SSH,
Telnet, etc) + integration with Windows Active Directory

After a lot of searching about LDAP config I was able to get an
Access-Accept from AD Server using radtest:

root at lab-01:~# radtest -x paulo pass at 777 0 testing123
Sent Access-Request Id 45 from to length 75
        User-Name = "paulo"
        User-Password = "pass at 777"
        NAS-IP-Address =
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "pass at 777"
Received Access-Accept Id 45 from to length 20

User-Name "paulo" is an AD user


My NAS (Mikrotik) is trying to authenticate against FreeRadius, but it
sends a MS-CHAP-Challenge in its logs:

sending Access-Request with id 23 to 172.x.x.70:1812
    Signature = 0x00fbf419a1a52d28f3b7479a72eeda9c
    Service-Type = 1
    User-Name = "paulo"
    MS-CHAP-Challenge = 0x728c84707e975a66640bfd9bd4d2ed98
    MS-CHAP2-Response = 0x00004b64c3ae410e919c1adaf9ab1ea6
    Calling-Station-Id = "10.x.x.253"
    NAS-Identifier = "Mikrotik-1218"
    NAS-IP-Address =


Then freeradius -X command gives me those warnings and errors:

(0) pap: WARNING: No "known good" password found for the user.  Not setting
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available

(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create

(0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect


What do those lines want to say?

I didn't find any hints after hours searching

Thank you!

More information about the Freeradius-Users mailing list