The problem persists with escaped username (it's Administrator in UTF-8 in russian):
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for Администратор with NT-Password [mschap] expand: --username="%{mschap:User-Name}" -> --username="Администратор" [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=CITYHALL [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dcc735f9e06566f6 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a160d20c9f584afd0024f676305fba382955db43d2a39e1 Exec-Program output: Invalid parameter (0xc000000d) Exec-Program-Wait: plaintext: Invalid parameter (0xc000000d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. ... ntlm_auth successfully authenticates returning NT_KEY when run manually: ntlm_auth --diagnostics --request-nt-key --username="Администратор" --domain=CITYHALL --challenge=86c94cfffd3f36fa --nt-response=3fa59f14170c3c64156be08dce431349620d99bc9f74cb79 NT_KEY: EB6DA41D01DE9C2F6ADA05D91346881E
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html