<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>Problem with PEAP and MS-CHAPv2 and AD</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">I am having a strange problem, and was hoping for some expertise in this matter and I need to get this working very quickly since I am running out of time. I have freeradius configured to authenticate our users for a wired 802.1x environment. Authentication works succesfully if the supplicant (odyssey client) sends only the username and not domain\username. The problem is when I install the odyssey gina module to configure the supplicant to authenticate prior to windows login it passes the credentials as domain\username, whichs fails authentication. I did some searches and made the following changes:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">proxy.conf</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">added:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">realm domain {</FONT>
<BR> <FONT SIZE=2 FACE="Arial">type = radius</FONT>
<BR> <FONT SIZE=2 FACE="Arial">authhost = LOCAL</FONT>
<BR> <FONT SIZE=2 FACE="Arial">accthost = LOCAL</FONT>
<BR><FONT SIZE=2 FACE="Arial">}</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">and uncommented the ntdomain section in radiusd.conf</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">This did not work, so I tried another suggestion and changed the ntlm_auth string from:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MEM --username=%{User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"</FONT></P>
<P><FONT SIZE=2 FACE="Arial">to:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Now when I login I get the following error: This also occurs at the desktop level</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial"> rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?</FONT>
<BR><FONT SIZE=2 FACE="Arial">radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'</FONT>
<BR><FONT SIZE=2 FACE="Arial">radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e'</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Exec-Program output: Logon failure (0xc000006d) </FONT>
<BR><FONT SIZE=2 FACE="Arial">Exec-Program-Wait: plaintext: Logon failure (0xc000006d) </FONT>
<BR><FONT SIZE=2 FACE="Arial">Exec-Program: returned: 1</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rlm_mschap: External script failed.</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect</FONT>
<BR><FONT SIZE=2 FACE="Arial"> modcall[authenticate]: module "mschap" returns reject for request 7</FONT>
<BR><FONT SIZE=2 FACE="Arial">modcall: group Auth-Type returns reject for request 7</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rlm_eap: Freeing handler</FONT>
<BR><FONT SIZE=2 FACE="Arial"> modcall[authenticate]: module "eap" returns reject for request 7</FONT>
<BR><FONT SIZE=2 FACE="Arial">modcall: group authenticate returns reject for request 7</FONT>
<BR><FONT SIZE=2 FACE="Arial">auth: Failed to validate the user.</FONT>
<BR><FONT SIZE=2 FACE="Arial"> PEAP: Got tunneled reply RADIUS code 3</FONT>
<BR> <FONT SIZE=2 FACE="Arial">MS-CHAP-Error = "\007E=691 R=1"</FONT>
<BR> <FONT SIZE=2 FACE="Arial">EAP-Message = 0x04070004</FONT>
<BR> <FONT SIZE=2 FACE="Arial">Message-Authenticator = 0x00000000000000000000000000000000</FONT>
<BR><FONT SIZE=2 FACE="Arial"> PEAP: Processing from tunneled session code 0xf8716a50 3</FONT>
<BR> <FONT SIZE=2 FACE="Arial">MS-CHAP-Error = "\007E=691 R=1"</FONT>
<BR> <FONT SIZE=2 FACE="Arial">EAP-Message = 0x04070004</FONT>
<BR> <FONT SIZE=2 FACE="Arial">Message-Authenticator = 0x00000000000000000000000000000000</FONT>
<BR><FONT SIZE=2 FACE="Arial"> PEAP: Tunneled authentication was rejected.</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rlm_eap_peap: FAILURE</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">If I change the ntlm_auth back to the original string and authenticate at the desktop (not gina) it authenticates. </FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">So my question is: What do I need to do to configure Freeradius to strip the domain portion where EAP-PEAP is successful at both gina (login) and desktop?</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Any help would be greatly appreciated.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Thanks</FONT>
<BR><FONT SIZE=2 FACE="Arial">Robert Graham</FONT>
</P>
</BODY>
</HTML>