I am running a CentOS 6.6 64 bit Server with FreeRADIUS 2.1.12 installed from base repository. Additionally I am using MultiOTP (http://www.multiotp.net/) which is configured to connect to our Windows 2012 R2 Server.

The MultiOTP Version is and for configuring FreeRADIUS I have used this guide: http://wiki.freeradius.org/guide/multiOTP-HOWTO

I couldn't find any information about older FreeRADIUS versions but at least using PAP seems to work:

radtest -t pap -x myusername mypasswordandtoken localhost 1812 sharedsecret
Sending Access-Request of id 95 to port 1812
    User-Name = "myusername"
    User-Password = "mypasswordandtoken"
    NAS-IP-Address =
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host port 1812, id=95, length=20

The radiusd -X output looks like the following:

[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++? if (control:Auth-Type == 'MS-CHAP')
    (Attribute control:Auth-Type was not found)
? Evaluating (control:Auth-Type == 'MS-CHAP') -> FALSE
++? if (control:Auth-Type == 'MS-CHAP') -> FALSE
++- entering else else {...}
+++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
+++? if (!control:Auth-Type) -> TRUE
+++- entering if (!control:Auth-Type) {...}
++++[control] returns noop
+++- if (!control:Auth-Type) returns noop
++- else else returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = multiotp
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group multiotp {...}
[multiotp]  expand: '%{User-Name}' -> 'myusername'
[multiotp]  expand: '%{User-Password}' -> 'mypasswordandtoken'
[multiotp]  expand: -src=%{Packet-Src-IP-Address} -> -src=
[multiotp]  expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge=
[multiotp]  expand: -chap-password=%{CHAP-Password} -> -chap-password=
[multiotp]  expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge=
[multiotp]  expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response=
[multiotp]  expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response=
Exec-Program output:
Exec-Program: returned: 0
++[multiotp] returns ok

Running radtest with -t mschap doesn't work, the Radius output is this:

[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++? if (control:Auth-Type == 'MS-CHAP')
? Evaluating (control:Auth-Type == 'MS-CHAP') -> TRUE
++? if (control:Auth-Type == 'MS-CHAP') -> TRUE
++- entering if (control:Auth-Type == 'MS-CHAP') {...}
+++[control] returns noop
++- if (control:Auth-Type == 'MS-CHAP') returns noop
++ ... skipping else for request 1: Preceding "if" was taken
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = multiotpmschap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group multiotpmschap {...}
[multiotpmschap] Told to do MS-CHAPv1 with NT-Password
[multiotpmschap]    expand: %{User-Name} -> myusername
[multiotpmschap]    expand: %{User-Password} -> 
[multiotpmschap]    expand: -src=%{Packet-Src-IP-Address} -> -src=
[multiotpmschap]    expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge=
[multiotpmschap]    expand: -chap-password=%{CHAP-Password} -> -chap-password=
[multiotpmschap]    expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge=0xdf908aaeb26f4444
[multiotpmschap]    expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response=0x0001000000000000000000000000000000000000000000000000fbb0b53f018a0e1fec964169db2b88be0ca521a8d8a234b6
[multiotpmschap]    expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response=
Exec-Program output: NT_KEY: F1111A9A8F0E249D347BE73B2D538685
Exec-Program-Wait: plaintext: NT_KEY: F1111A9A8F0E249D347BE73B2D538685
Exec-Program: returned: 99
[multiotpmschap] External script failed.
[multiotpmschap] MS-CHAP-Response is incorrect.
++[multiotpmschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]         expand: %{User-Name} -> myusername
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 105 to port 49595
    MS-CHAP-Error = "\000E=69
Waking up in 4.9 seconds.

Also connecting an application which does MS-CHAPv2 authentication to freeradius produces the same error as using mschap with radclient.

Does anyone know if this version of FreeRADIUS can be used with MultiOTP which connects to an active directory?

  • 21
  • 1
  • 5

3 Answers3


Yes, you are right, MSCHAP and MSCHAPv2 are hashing the password, so if the password is [PIN/internal password + token], it's still ok for multiOTP to recalculate it, but with AD password, there is no way to do it, as we don't have the AD password stored in multiOTP.

  • 1,127
  • 10
  • 25

This setup, encrypted AD + token (MSCHAP) using MultiOTP, does not depend on what version of FreeRADIUS you are using. If you are to go deeper on how things works, you will realize that this is not possible. Right now, I believe there is no way for MultiOTP to regenerate hash using AD from its database + token to match encrypted password (using MSCHAP) from the client. Just imagine decrypting the hash say on 128 bit.

It is working for PAP because strings being compared for authentication are plain text. In this case, it is easy for MultiOTP to reconstruct strings unlike in the encrypted form.

I hope this also answers why you are getting the error.


Instead of:

Username: username
Password: [password] + [OTP]

You can now use:

Username: username:OTP
Password: password

Example for username = john, password = myBigPassword, OTP = 123456

Username: john:123456
Password: myBigPassword

As the OTP change all the time, it's totally secure and MS-CHAPv2 works :-)