help with freeradius on u24 for eduroam with ntlm auth

Alan DeKok alan.dekok at inkbridge.io
Tue Sep 23 11:34:18 UTC 2025 

On Sep 22, 2025, at 7:54 PM, Rob Taylor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm following the guide from here:
> 
> https://wiki.freeradius.org/guide/eduroam

  That guide also says:

In addition to the configuration files here, you will need to configure a module to talk to your user store (LDAP, Novell, Active Directory, SQL).

  In your case, you want to configure ntlm.

> and I got the files based authentication to work, but I'm having an issue with the ntlm authentication.

  You haven't configured ntlm authentication.  You need to do that.

  See my guide:  https://deployingradius.com/documents/configuration/active_directory.html

> I've tested the samba part and that works, but when I try to auth to radius using ntlm,
> 
> it gets rejected, and from what I can tell using tcpdump, it's not even
> hitting the ad servers, so something is wrong before it even gets to that point.

  Did you tell FreeRADIUS to talk to Active Directory?

  And why use tcpdump when the server has full debug output?

> I'm not sure if I have the radius config wrong, or if I'm doing something wrong with the eapol test.
> 
> I have nltm_auth in both the inner-tunnel and default in sites-enabled in the authenticate section.

  Where?  "somewhere"?

> I think this is where it goes wrong:
> 
> (8) mschap: Found Cleartext-Password, hashing to create NT-Password
> (8) mschap: Creating challenge hash with username: rgt at wi.mit.edu
> (8) mschap: Client is using MS-CHAPv2
> (8) mschap: ERROR: MS-CHAP2-Response is incorrect
> 
> (8) eap_mschapv2:     [mschap] = reject

  It might be useful to look at the full debug output, as *all* of the documentation says to do.

> Should it be stripping the domain here? It looks like it is doing that in other places in the config.
> 
> can someone steer me in the right direction?

  Configure FreeRADIUS to use ntlm.  Read the full debug output.

  And if it still doesn't work, post the FULL DEBUG OUTPUT to the list.  As suggested in ALL OF THE DOCUMENTATION.  Including the message you get when you join the list.

  Alan DeKok.

More information about the Freeradius-Users mailing list