Hello Alan, You've been absolutely right. The bug was in radius module for pppd and it sent wrong MS-CHAP2-Response value for freeradius. Problem was in function, which compose this attribute from client authentication response. Format of PPP response packet and MS-CHAP-Response av pair differs slightly, confirming the comments of the developer of the plug-in (something about idiots).
I've seen here that 3 person in this mailing list are suffering from the same bug, so, could you please excuse the posting of the patch? It was made against the latest cvs version of pppd from samba.org: Index: radius.c =================================================================== RCS file: /cvsroot/ppp/pppd/plugins/radius/radius.c,v retrieving revision 1.21 diff -u -r1.21 radius.c --- radius.c 25 Nov 2003 11:50:10 -0000 1.21 +++ radius.c 7 Jan 2004 19:18:43 -0000 @@ -425,7 +425,7 @@ case CHAP_MICROSOFT_V2: { /* MS-CHAP-Challenge and MS-CHAP2-Response */ - MS_Chap2Response *rmd = (MS_Chap2Response *) (response + 1); + MS_Chap2Response *rmd = (MS_Chap2Response *) response; u_char *p = cpassword; if (response_len != MS_CHAP2_RESPONSE_LEN) It completely fixes the problem of authenticating with pppd against freeradius using MSCHAPv2. I sent this patch to one of the maintainers of the pppd and asked to commit it to the source tree. Hope fixed pppd will be available for wide public soon. Kind regards, Anton Golubev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html