help with freeradius on u24 for eduroam with ntlm auth

Matthew Newton mcn at freeradius.org
Tue Sep 23 16:31:26 UTC 2025 


On 23/09/2025 12:04, Rob Taylor via Freeradius-Users wrote:
> Below are full debug logs.
> Trying to use freeradius to authenticate to AD, so that I can use it to
> support eduroam.
> using eapol to test, which worked correctly with files.
> 
> 
>>    # Loaded module rlm_mschap
>>    # Loading module "mschap" from file
>> /etc/freeradius/3.0/mods-enabled/mschap
>>    mschap {
>>    use_mppe = yes
>>    require_encryption = no
>>    require_strong = no
>>    with_ntdomain_hack = yes
>>     passchange {
>>     }
>>    allow_retry = yes
>>    winbind_retry_with_normalised_username = no
>>    }

You haven't configured ntlm_auth or winbind here, so mschap can't do any 
external authentication.


>>    # Loading module "ntlm_auth" from file
>> /etc/freeradius/3.0/mods-enabled/ntlm_auth
>>    exec ntlm_auth {
>>    wait = yes
>>    program = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
>> --domain=ccdom --username=%{mschap:User-Name} --password=%{User-Password}"
>>    shell_escape = yes
>>    }

Don't use the 'ntlm_auth' configuration. It's for PAP based auth only, 
and sends the password in the clear. If you want this, use LDAP instead.


>> (8) inner-eap: Removing EAP session with state 0x17eaa20b170cb824
>> (8) inner-eap: Previous EAP request found for state 0x17eaa20b170cb824,
>> released from the list
>> (8) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
>> (8) inner-eap: Calling submodule eap_mschapv2 to process data
>> (8) eap_mschapv2: # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> (8) eap_mschapv2:   authenticate {
>> (8) mschap: Found Cleartext-Password, hashing to create NT-Password
>> (8) mschap: Creating challenge hash with username: rgt at wi.mit.edu
>> (8) mschap: Client is using MS-CHAPv2
>> (8) mschap: ERROR: MS-CHAP2-Response is incorrect

Internal MSCHAP auth only.

>> (8) eap_mschapv2:     [mschap] = reject
>> (8) eap_mschapv2:   } # authenticate = reject
>> (8) eap_mschapv2: MSCHAP-Error: ?E=691 R=1
>> C=af9121d55ab76fc424446fdeafaacdc3 V=3 M=Authentication rejected
>> (8) eap_mschapv2: Found new challenge from MS-CHAP-Error: err=691 retry=1
>> challenge=af9121d55ab76fc424446fdeafaacdc3
>> (8) eap_mschapv2: ERROR: MSCHAP Failure

Never tried to contact winbind because it's not configured in the mschap 
module.

Fix that config and you should make progress.

-- 
Matthew

More information about the Freeradius-Users mailing list