AW: AW: PEAP+MSCHAP+AD (please help)
Phil Mayers
p.mayers at imperial.ac.uk
Wed Dec 13 11:28:33 CET 2006
Hector.Ortiz at swisscom.com wrote:
>
> on the windows client. I tried first one automatic login and then a
> manual one. The CHAP log generated by Windows is as follows:
Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better)
>
> Windows sends both domain and username, but only the manual login
> succeeds.
>
> For the manual login, Windows uses DES and MD5 but for the automatic
> one uses Local Security Authority, but I don't think this has
> something to do with my problem, does it?
Not really - the automatic login calls out to the LSA to get the
logged-in creds. The manual login does a portion of that locally.
>
> I've also tried other things on the client side:
>
> Cleaned cached user credentials from regedit, just in case, but the
> result is the same. I've tried using different computers and the
> result is the same. Using a different supplicant (SecureW2) seemed to
> work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic
> and manual logins worked on my computer through SW2. Then I tried it
> on another computer, and didn't work. Different accounts and the
> result is the same.
>
> I haven't tried yet bumping the debugging level in Samba. I was just
> trying on the client side, but unfortunately nothing succeeded :(
>
> Well, now I have to try things on the server side.
I doubt there's anything in the Radius server that'll help at this point.
Only two things I can think of:
1. Does your password have odd (non-ascii) characters in it? That
should NOT matter for MS-CHAP since it's explicitly unicode aware
2. Does the domain you are in have particular tight security policies
that might be preventing the LSA from successfully completing an MS-CHAP
but would allow the manual code to work?
Both are extremely unlikely.
Sorry I can't be more help
More information about the Freeradius-Users
mailing list