Ldap – FreeRadius, login not working when using mschap

I've been trying to make RADIUS work with Zentyal without success, I've tried logging in with an Android phone and a Windows 10 PC but none of them worked.
Joining the domain using LAN works fine, using radtest without mschap works fine too, the problem here seems to be mschap, I've searched the web for hours but nothing worked for me.

When I tried to log in using my phone or PC I used an Ubiquiti Access Point that seems to be configured correctly, requests are handled by FreeRADIUS. The AP is not the problem since radtest doesn't work either but anyways here is how I'm connecting using my phone.

EAP Method: PEAP
Phase 2 Authentication: None
CA Certificate: Don't convalidate

Identity: Elia
Password: stackoverflow

Radtest works fine when not using mschap

root@zenelia:~# radtest -x  Elia stackoverflow localhost 0 secret
Sending Access-Request of id 211 to 127.0.0.1 port 1812
    User-Name = "Elia"
    User-Password = "stackoverflow"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=20

freeradius -X output of previous command

rad_recv: Access-Request packet from host 127.0.0.1 port 52877, id=91, 
length=74
        User-Name = "Elia"
        User-Password = "stackoverflow"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x0cca55945b14f3caf1f8f1ab3374df4c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
[ldap] performing user authorization for Elia
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> Elia
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia)
[ldap]  expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap://127.0.0.1, authentication 0
  [ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia)
  [ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group LDAP {
[ldap] login attempt by "Elia" with password "stackoverflow"
[ldap] user DN: CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan
  [ldap] (re)connect to ldap://127.0.0.1, authentication 1
  [ldap] bind as CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan/stackoverflow to ldap://127.0.0.1
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user Elia authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
Login OK: [Elia] (from client 127.0.0.1/32 port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 91 to 127.0.0.1 port 52877
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 91 with timestamp +8
Ready to process requests.

This doesn't, note that I'm using mschap here

root@zenelia:~# radtest -x -t mschap  Elia stackoverflow localhost 0 secret
Sending Access-Request of id 183 to 127.0.0.1 port 1812
    User-Name = "Elia"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
    MS-CHAP-Challenge = 0xf7a1a65b013d5d6b
    MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f024d5b89a20308d6a54dffacb2c4bb6ca20a6deedaebf71
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=183, length=38
    MS-CHAP-Error = "\000E=691 R=1"

Output of freeradius -X when executing previous command

rad_recv: Access-Request packet from host 127.0.0.1 port 59549, id=63, 
length=130
        User-Name = "Elia"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0xb28350b23c97bdfc9d9bac99504dcd4a
        MS-CHAP-Challenge = 0xadac5f0fddda582f
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
[ldap] performing user authorization for Elia
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> Elia
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia)
[ldap]  expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap://127.0.0.1, authentication 0
  [ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia)
  [ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap]        ... expanding second conditional
[mschap]        expand: %{User-Name} -> Elia
[mschap]        expand: %{%{User-Name}:-None} -> Elia
[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=Elia
[mschap]  mschap1: ad
[mschap]        expand: %{mschap:Challenge} -> adac5f0fddda582f
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=adac5f0fddda582f
[mschap]        expand: %{mschap:NT-Response} -> b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap] Exec: program returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] = reject
+} # group MS-CHAP = reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> Elia
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 63 to 127.0.0.1 port 59549
        MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 63 with timestamp +9
Ready to process requests.

/var/log/freeradius/radius.log

Fri Jun  9 16:11:52 2017 : Auth: Login OK: [Elia] (from client 127.0.0.1/32 port 1812)

Fri Jun  9 16:11:58 2017 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 1812)

NTLM seems to be working

root@zenelia:~# ntlm_auth --username=Elia --password=stackoverflow
NT_STATUS_OK: Success (0x0)

Searched online I found out that a common problem resulting in the same error MS-CHAP-Error = "\000E=691 R=1" is not giving user freerad read access to /var/lib/samba/winbindd_privileged but that doesn't seem to be my case.

root@zenelia:/var/lib/samba# ls -l
total 1404
-rw-------   1 root root          421888 mag 31 17:03 account_policy.tdb
-rw-------   1 root root             696 mag 31 17:03 group_mapping.tdb
drwxr-x---   2 root ntp             4096 giu  9 15:21 ntp_signd
drwxr-xr-x  10 root root            4096 mag 31 17:02 printers
drwxr-xr-x   8 root root            4096 giu  9 16:26 private
-rw-------   1 root root          528384 mag 31 17:03 registry.tdb
-rw-------   1 root root          421888 mag 31 17:03 share_info.tdb
drwxrwx---+  3 root adm             4096 mag 31 17:07 sysvol
drwxrwx--T   2 root sambashare      4096 mag 31 17:03 usershares
 -rw-------   1 root root           32768 giu  9 16:24 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv   4096 giu  9 15:21 winbindd_privileged

root@zenelia:/var/lib/samba# grep '^winbindd_priv:' /etc/group
winbindd_priv:x:118:freerad

winbindd_privileged is owned by group winbindd_priv which freerad is part of.

Some users online suggest adding users manually in /etc/freeradius/users

Elia Cleartext-Password := "stackoverflow", MS-CHAP-Use-NTLM-Auth := No

which does work but the next one doesn't

Elia Cleartext-Password := "stackoverflow"

Now I cannot afford adding each users manually, I need FreeRADIUS to gather users from the domain but I thought pointing out that disabling NTLM works, even though I don't know how to disable it for every user.

Is there a way to make FreeRADIUS work with Zentyal without having to add users manually?