FreeRadius - Wifi - Active directory (Eap-Peap-MSCHAP)

Milka Net pierre_dejong at
Thu May 5 23:07:47 CEST 2016

I am trying to set a freeradius authentification against a MS Active directory for Wifi.
all went right: 
- debian in AD
- net ads testjoin-  wbinfo -a test- /usr/bin/ntlm_auth --request-nt-key --domain=DOM --username=u1 --password=thepassord
So basically: authenticating with a AD user is really fine.... even from a "windows 7" laptop is fine, AS LONG as i get prompt for the user/pass, and that I enter it in the form or USER/PASS
When i try to use the "automatic", so that it's the "laptop" that sends the credential, it does not work:   it does send it as: DOMAIN\\USER.
domain: galaxy.privuser: test
here is the freeradius -X output.
rad_recv: Access-Request packet from host port 59985, id=177, length=173        User-Name = "galaxy\\test"        NAS-Identifier = "44d9e7fc21c1"        NAS-Port = 0        Called-Station-Id = "46-D9-E7-FD-21-C1:FreeRadius"        Calling-Station-Id = "00-1E-65-22-14-C2"        Framed-MTU = 1400        NAS-Port-Type = Wireless-802.11        Connect-Info = "CONNECT 0Mbps 802.11b"        EAP-Message = 0x027300100167616c6178795c74657374        Message-Authenticator = 0x3d46f71089cc7034c3a6636b891a17af# Executing section authorize from file /etc/freeradius/sites-enabled/default+group authorize {++[preprocess] = ok[ntdomain] Looking up realm "galaxy" for User-Name = "galaxy\test"[ntdomain] Found realm "GALAXY"[ntdomain] Adding Stripped-User-Name = "test"[ntdomain] Adding Realm = "GALAXY"[ntdomain] Authentication realm is LOCAL.++[ntdomain] = ok[suffix] Request already proxied.  Ignoring.++[suffix] = ok++[chap] = noop++[mschap] = noop++[digest] = noop[suffix] Request already proxied.  Ignoring.++[suffix] = ok[eap] EAP packet type response id 115 length 16[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] = updated++[files] = noop++[expiration] = noop++[logintime] = noop[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.++[pap] = noop+} # group authorize = updatedFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+group authenticate {[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] = handled+} # group authenticate = handledSending Access-Challenge of id 177 to port 59985        EAP-Message = 0x017400061920        Message-Authenticator = 0x00000000000000000000000000000000        State = 0xf1d729faf1a330fa1233dbe164274a4fFinished request 1.Going to the next requestWaking up in 4.9 seconds.

Would you guys have any things i could test?
Any advice would be welcome !
Thanks in advance

More information about the Freeradius-Users mailing list