[RADIATOR] NTLM Failures to Active Directory

Heikki Vatiainen hvn at open.com.au
Fri Sep 15 16:38:28 UTC 2023

On 8.9.2023 0.55, Ullfig, Roberto Alfredo via radiator wrote:

> This is what the process looks like:
> /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> so we're using NTLM v1 correct? Is that the proper way to run ntlm_auth?

That is a proper way to run ntlm_auth. What you could do is to add a 
flag to ntlm_auth parameters. The flag is: --allow-mschapv2

With this flag it's still possible to use MSCHAP based authentication 
methods even if older authentication methods are otherwise disabled on 
the Windows server. For more information, see this:


My understanding is that MSCHAP and MSCHAPv2 always require NTLM v1. 
Parameter --helper-protocol=ntlm-server-1 sets the method Radiator and 
ntlm_auth communicate with each other. It determines how the information 
is formatted between the two and it does not set the NTLM version. For 
more, see here:



Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list