EAP-TLS OK - EAP-PEAP KO!! why that?

Reveal MAP revealmapp at yahoo.fr
Sat Jul 19 20:55:04 CEST 2008 

ah okay! lol

> "f you want to authenticate PEAP users via SQL (which you seem
> to be saying), then don't configure the mschap module to use ntlm_auth."

my mistake: i didn't know...

back to Users based on AD.

username=glouglou
passwd=glouglou
domain=PLUTON
---------------------------------------------------------------------------------------------------
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #                     
---------------------------------------------------------------------------------------------------

in etc/raddb/module/mschap, i have this for ntlm_auth:

---------------------
mschap {
       use_mppe = yes
    #require_encryption = yes
    #require_strong = yes
    with_ntdomain_hack = yes

    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

    #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
---------------------




----- Message d'origine ----
De : Alan DeKok <aland at deployingradius.com>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Samedi, 19 Juillet 2008, 18h07mn 43s
Objet : Re: Re : Re : Re :  EAP-TLS OK - EAP-PEAP KO!! why that?

Reveal MAP wrote:
> user=maman
> passwd= maman
> is a sql based user.
> 
> trying peap with sql based user give error message,

   Which... is what?  Is it a secret?

> but trying it with
> Ad_based user give no error message, just don't connect...

  FreeRADIUS gives no error message?  Or the client?  Are you trying to
debug the FreeRADIUS configuration by looking at the login screen on the
  client machine?

> with radtest:

  Which sends a PAP request.  Which doesn't use the MS-CHAP module.
Which doesn't go to AD.

> same credential with my Access-Point (part of output).
> ---------------------------------------------------------------------------------------------
> 
>  rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2

  Which is using MS-CHAP.  Which then uses the MS-CHAP module.  Which
*you* have configured to ask AD.

> Exec-Program output: Logon failure (0xc000006d)

  So... fix that.  Run ntlm_auth from the command line until it works.
Then use the same password to log in via PEAP.

  Or... if you want to authenticate PEAP users via SQL (which you seem
to be saying), then don't configure the mschap module to use ntlm_auth.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080719/ae2ced52/attachment.html>

More information about the Freeradius-Users mailing list