Actually this is the exact same problem I have. I need to
type my credentials in for authentication to work. If I let windows do it,
I won't get in.
If any of you could please help us out with this
issue, that'd be great
Cheers
Héctor
Von:
freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org
[mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org]
Im Auftrag von Stieven.Struyf@komatsu.eu Gesendet: Montag, 6.
November 2006 16:17 An: King, Michael Cc:
freeradius-users@lists.freeradius.org Betreff: RE: freeradius and
ntlm_auth howto
michael, The configuration works when i type in my username as
'username@domain', when i let windows fill it in i don't get in.
My password gets locked after 3 attempts, and
the wifi retries several times. If you look higher in the file you will see
another error:(logon failure)
It
works with the standard certs, so for finding a good working configuration this
is ok for now. Obviously i will change this for production.
Stieven Struyf M.I.S. Division - System Operations
Komatsu Europe International NV Mechelsesteenweg 586 B-1800
Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
Did you generate your OWN certs... They one's
that ship with the server ARE NOT vailid. You have to generate your own.
rlm_eap:
Loaded and initialized type peap mschapv2: with_ntdomain_hack =
no rlm_eap: Loaded and initialized type mschapv2
That doesn't look
right
BUT YOUR
FINAL ANSWER:
xec-Program:
/usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program
output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext:
Account locked out (0xc0000234) Exec-Program: returned:
1 rlm_mschap: External script failed. rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect
Your account in the
domain is not correct.
Looks like it's been disabled or something.
Fix that
first before you change anymore config files.
From: Stieven.Struyf@komatsu.eu
[mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006
3:16 AM To: King, Michael Subject: Fw: freeradius and
ntlm_auth howto
Michael, I sent my reply already to the list, but due to the size(larger than
100k) it had to be reviewed by the admin and after a week it was
rejected. Below you
can find the mail. Thanks for helping me.
Stieven Struyf M.I.S. Division - System Operations
Komatsu Europe International NV Mechelsesteenweg 586 B-1800
Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by
Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -----
Stieven
Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
To
FreeRadius users
mailing list
<freeradius-users@lists.freeradius.org>
I added the debuglog as
attachment(as it is a little large to paste here).
This is the mschap config: mschap {
authtype = MS-CHAP
use_mppe = yes require_strong
= yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}" }
Stieven Struyf M.I.S.
Division - System Operations Komatsu Europe International
NV Mechelsesteenweg 586 B-1800
Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:
> Let's see if we can get this
solved... > > > -----Original Message----- > > Here's
the full log: > > Waking up in 6 seconds... > > rad_recv:
Access-Request packet from host 10.104.254.73:1645, > > This is
NOT the full log. The full log would have started with the line >
/path/to/radiusd -X > > Some important stuff is printed out there,
it helps us help you. > > > > rlm_mschap:
NT Domain delimeter found, should we have > > enabled
with_ntdomain_hack? > > rlm_mschap: NT Domain delimeter found,
should we have > > enabled with_ntdomain_hack? > > Did
you enable Ntdomain Hack in the MSCHAP module? (See below) >
> > Including your radius.conf file would help. > >
> > > HOWEVER, first you may want to check your mschap module
definition: > > > > > > modules { > > >
mschap { > > > ntlm_auth =
"/usr/bin/ntlm_auth \ > > > --request-nt-key \ > >
> --username=%{mschap:User-Name:-None} \ > > >
--domain=%{mschap:NT-Domain:-None} \ > > >
--challenge=%{mschap:Challenge:-00} \ > > >
--nt-response=%{mschap:NT-Response:-00}" > > > > > >
...all on one line of course. Note the use of the > >
"mschap:User-Name" > > > and "mschap:NT-Domain" values. >
> Mine radiusd.conf file's mschap section looks like this: > NOTE
that I do NOT have the :-00 and the :-None statements, and I DO > have
with_ntdomain_hack=yes > > > #
Microsoft CHAP authentication > # >
# This module supports MS-CHAP and MS-CHAPv2
authentication. > # It also enforces the
SMB-Account-Ctrl attribute. > # >
mschap { >
with_ntdomain_hack = yes >
ntlm_auth = "/usr/bin/ntlm_auth \ >
--request-nt-key \ >
--username=%{mschap:User-Name} \ >
--challenge=%{mschap:Challenge} \ >
--nt-response=%{mschap:NT-Response} >
} > > > - > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html