<br><font size=2 face="sans-serif">michael,</font>
<br><font size=2 face="sans-serif">The configuration works when i type
in my username as 'username@domain', when i let windows fill it in i don't
get in.</font>
<br><font size=2 face="sans-serif">My password gets locked after 3 attempts,
and the wifi retries several times. If you look higher in the file you
will see another error:(logon failure)</font>
<br>
<br><font size=2 face="sans-serif">It works with the standard certs, so
for finding a good working configuration this is ok for now. Obviously
i will change this for production.</font>
<br>
<br><font size=2 face="sans-serif">Stieven Struyf<br>
M.I.S. Division - System Operations <br>
Komatsu Europe International NV<br>
Mechelsesteenweg 586<br>
B-1800 Vilvoorde<br>
Stieven.Struyf@komatsu.eu<br>
Tel. +32 (0)2 2552551</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"King, Michael"
<MKing@bridgew.edu></b> </font>
<p><font size=1 face="sans-serif">11/06/2006 04:04 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif"><Stieven.Struyf@komatsu.eu>, "FreeRadius
users mailing list" <freeradius-users@lists.freeradius.org></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">RE: freeradius and ntlm_auth howto</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 color=blue face="Arial">Some things I've noticed from
your attached files</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Module: Loaded MS-CHAP <br>
mschap: use_mppe = yes<br>
mschap: require_encryption = yes<br>
mschap: require_strong = yes</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">I've never enabled these before,
I'm unaware what affect they will have</font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">tls: pem_file_type = yes<br>
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"<br>
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"<br>
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"<br>
tls: private_key_password = "whatever"<br>
tls: dh_file = "/etc/raddb/certs/dh"<br>
tls: random_file = "/etc/raddb/certs/random"</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Did you generate your OWN certs...
They one's that ship with the server ARE NOT vailid. You have to
generate your own.</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">rlm_eap: Loaded and initialized
type peap<br>
mschapv2: with_ntdomain_hack = no<br>
rlm_eap: Loaded and initialized type mschapv2</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">That doesn't look right</font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">BUT YOUR FINAL ANSWER:</font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">xec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0<br>
Exec-Program output: Account locked out (0xc0000234) <br>
Exec-Program-Wait: plaintext: Account locked out (0xc0000234) <br>
Exec-Program: returned: 1<br>
rlm_mschap: External script failed.<br>
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect</font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Your account in the domain is
not correct.</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Looks like it's been disabled
or something.</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Fix that first before you change
anymore config files.</font>
<br>
<br>
<hr><font size=2 face="Tahoma"><b>From:</b> Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu]
<b><br>
Sent:</b> Monday, November 06, 2006 3:16 AM<b><br>
To:</b> King, Michael<b><br>
Subject:</b> Fw: freeradius and ntlm_auth howto</font><font size=3><br>
</font>
<br><font size=2 face="sans-serif"><br>
Michael,</font><font size=3> </font><font size=2 face="sans-serif"><br>
I sent my reply already to the list, but due to the size(larger than 100k)
it had to be reviewed by the admin and after a week it was rejected.</font><font size=3>
</font><font size=2 face="sans-serif"><br>
Below you can find the mail. Thanks for helping me.</font><font size=3>
<br>
</font><font size=2 face="sans-serif"><br>
Stieven Struyf<br>
M.I.S. Division - System Operations <br>
Komatsu Europe International NV<br>
Mechelsesteenweg 586<br>
B-1800 Vilvoorde<br>
Stieven.Struyf@komatsu.eu<br>
Tel. +32 (0)2 2552551</font><font size=3> </font><font size=1 color=#800080 face="sans-serif"><br>
----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM
-----</font><font size=3> </font>
<table width=100%>
<tr valign=top>
<td width=36%><font size=1 face="sans-serif"><b>Stieven Struyf/KEISA/BE/KOMEUR</b></font><font size=3>
</font>
<p><font size=1 face="sans-serif">11/02/2006 08:55 AM</font><font size=3>
</font>
<td width=63%>
<br>
<table width=100%>
<tr valign=top>
<td width=10%>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td width=89%><font size=1 face="sans-serif">FreeRadius users mailing list
<freeradius-users@lists.freeradius.org></font><font size=3> </font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">RE: freeradius and ntlm_auth howto</font><a href=Notes://bent63ke/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A148B6EA233CDC125721400531414><font size=3 color=blue><u>Link</u></font></a></table>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=50%>
<td width=50%></table>
<br></table>
<br><font size=3><br>
</font><font size=2 face="sans-serif"><br>
I added the debuglog as attachment(as it is a little large to paste here).</font><font size=3>
</font><font size=2 face="sans-serif"><br>
This is the mschap config:</font><font size=3> </font><font size=2 face="sans-serif"><br>
mschap {</font><font size=3> </font><font size=2 face="sans-serif"><br>
authtype = MS-CHAP</font><font size=3>
</font><font size=2 face="sans-serif"><br>
use_mppe = yes</font><font size=3>
</font><font size=2 face="sans-serif"><br>
require_strong
= yes</font><font size=3> </font><font size=2 face="sans-serif"><br>
with_ntdomain_hack
= yes</font><font size=3> </font><font size=2 face="sans-serif"><br>
require_encryption
= yes</font><font size=3> </font><font size=2 face="sans-serif"><br>
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"</font><font size=3> </font><font size=2 face="sans-serif"><br>
}</font><font size=3> <br>
<br>
</font><font size=2 face="sans-serif"><br>
Stieven Struyf<br>
M.I.S. Division - System Operations <br>
Komatsu Europe International NV<br>
Mechelsesteenweg 586<br>
B-1800 Vilvoorde<br>
Stieven.Struyf@komatsu.eu<br>
Tel. +32 (0)2 2552551</font><font size=3> <br>
</font><tt><font size=2><br>
freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:<br>
<br>
> Let's see if we can get this solved... <br>
> <br>
> > -----Original Message-----<br>
> > Here's the full log: <br>
> > Waking up in 6 seconds... <br>
> > rad_recv: Access-Request packet from host 10.104.254.73:1645,
<br>
> <br>
> This is NOT the full log. The full log would have started with
the line<br>
> /path/to/radiusd -X<br>
> <br>
> Some important stuff is printed out there, it helps us help you. <br>
> <br>
> <br>
> > rlm_mschap: NT Domain delimeter found, should we have
<br>
> > enabled with_ntdomain_hack? <br>
> > rlm_mschap: NT Domain delimeter found, should we have
<br>
> > enabled with_ntdomain_hack? <br>
> <br>
> Did you enable Ntdomain Hack in the MSCHAP module? (See below)<br>
> <br>
> <br>
> Including your radius.conf file would help.<br>
> <br>
> <br>
> > > HOWEVER, first you may want to check your mschap module
definition:<br>
> > > <br>
> > > modules {<br>
> > > mschap {<br>
> > > ntlm_auth = "/usr/bin/ntlm_auth
\<br>
> > > --request-nt-key \<br>
> > > --username=%{mschap:User-Name:-None} \<br>
> > > --domain=%{mschap:NT-Domain:-None} \<br>
> > > --challenge=%{mschap:Challenge:-00} \<br>
> > > --nt-response=%{mschap:NT-Response:-00}"<br>
> > > <br>
> > > ...all on one line of course. Note the use of the <br>
> > "mschap:User-Name" <br>
> > > and "mschap:NT-Domain" values.<br>
> <br>
> Mine radiusd.conf file's mschap section looks like this:<br>
> NOTE that I do NOT have the :-00 and the :-None statements, and I
DO<br>
> have with_ntdomain_hack=yes<br>
> <br>
> <br>
> # Microsoft CHAP authentication<br>
> #<br>
> # This module supports MS-CHAP and
MS-CHAPv2 authentication.<br>
> # It also enforces the SMB-Account-Ctrl
attribute.<br>
> #<br>
> mschap {<br>
> with_ntdomain_hack
= yes<br>
> ntlm_auth = "/usr/bin/ntlm_auth
\<br>
> --request-nt-key \<br>
> --username=%{mschap:User-Name} \<br>
> --challenge=%{mschap:Challenge}
\<br>
> --nt-response=%{mschap:NT-Response}<br>
> }<br>
> <br>
> <br>
> - <br>
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</font></tt>
<br>