<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2>Actually this is the exact same problem I have. I need to
type my credentials in for authentication to work. If I let windows do it,
I won't get in. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2>If any of you could please help us out with this
issue, that'd be great</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2>Cheers</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2>Héctor</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=648563115-06112006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=de dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>Von:</B>
freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org
[mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org]
<B>Im Auftrag von </B>Stieven.Struyf@komatsu.eu<BR><B>Gesendet:</B> Montag, 6.
November 2006 16:17<BR><B>An:</B> King, Michael<BR><B>Cc:</B>
freeradius-users@lists.freeradius.org<BR><B>Betreff:</B> RE: freeradius and
ntlm_auth howto<BR></FONT><BR></DIV>
<DIV></DIV><BR><FONT face=sans-serif size=2>michael,</FONT> <BR><FONT
face=sans-serif size=2>The configuration works when i type in my username as
'username@domain', when i let windows fill it in i don't get in.</FONT>
<BR><FONT face=sans-serif size=2>My password gets locked after 3 attempts, and
the wifi retries several times. If you look higher in the file you will see
another error:(logon failure)</FONT> <BR><BR><FONT face=sans-serif size=2>It
works with the standard certs, so for finding a good working configuration this
is ok for now. Obviously i will change this for production.</FONT> <BR><BR><FONT
face=sans-serif size=2>Stieven Struyf<BR>M.I.S. Division - System Operations
<BR>Komatsu Europe International NV<BR>Mechelsesteenweg 586<BR>B-1800
Vilvoorde<BR>Stieven.Struyf@komatsu.eu<BR>Tel. +32 (0)2 2552551</FONT>
<BR><BR><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="40%"><FONT face=sans-serif size=1><B>"King, Michael"
<MKing@bridgew.edu></B> </FONT>
<P><FONT face=sans-serif size=1>11/06/2006 04:04 PM</FONT> </P>
<TD width="59%">
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>To</FONT></DIV>
<TD><FONT face=sans-serif size=1><Stieven.Struyf@komatsu.eu>,
"FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org></FONT>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>cc</FONT></DIV>
<TD>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>Subject</FONT></DIV>
<TD><FONT face=sans-serif size=1>RE: freeradius and ntlm_auth
howto</FONT></TR></TBODY></TABLE><BR>
<TABLE>
<TBODY>
<TR vAlign=top>
<TD>
<TD></TR></TBODY></TABLE><BR></TR></TBODY></TABLE><BR><BR><BR><FONT face=Arial
color=blue size=2>Some things I've noticed from your attached files</FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial color=blue size=2>Module:
Loaded MS-CHAP <BR>mschap: use_mppe = yes<BR>mschap: require_encryption =
yes<BR>mschap: require_strong = yes</FONT> <BR><FONT size=3> </FONT>
<BR><FONT face=Arial color=blue size=2>I've never enabled these before, I'm
unaware what affect they will have</FONT> <BR><FONT size=3> </FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial color=blue size=2>tls:
pem_file_type = yes<BR>tls: private_key_file =
"/etc/raddb/certs/cert-srv.pem"<BR>tls: certificate_file =
"/etc/raddb/certs/cert-srv.pem"<BR>tls: CA_file =
"/etc/raddb/certs/demoCA/cacert.pem"<BR>tls: private_key_password =
"whatever"<BR>tls: dh_file = "/etc/raddb/certs/dh"<BR>tls: random_file =
"/etc/raddb/certs/random"</FONT> <BR><FONT size=3> </FONT> <BR><FONT
face=Arial color=blue size=2>Did you generate your OWN certs... They one's
that ship with the server ARE NOT vailid. You have to generate your own.</FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial color=blue size=2>rlm_eap:
Loaded and initialized type peap<BR>mschapv2: with_ntdomain_hack =
no<BR>rlm_eap: Loaded and initialized type mschapv2</FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Arial color=blue size=2>That doesn't look
right</FONT> <BR><FONT size=3> </FONT> <BR><FONT size=3> </FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial color=blue size=2>BUT YOUR
FINAL ANSWER:</FONT> <BR><FONT size=3> </FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Arial color=blue size=2>xec-Program:
/usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0<BR>Exec-Program
output: Account locked out (0xc0000234) <BR>Exec-Program-Wait: plaintext:
Account locked out (0xc0000234) <BR>Exec-Program: returned:
1<BR> rlm_mschap: External script failed.<BR> rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect</FONT> <BR><FONT size=3> </FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Arial color=blue size=2>Your account in the
domain is not correct.</FONT> <BR><FONT size=3> </FONT> <BR><FONT
face=Arial color=blue size=2>Looks like it's been disabled or something.</FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial color=blue size=2>Fix that
first before you change anymore config files.</FONT> <BR><BR>
<HR>
<FONT face=Tahoma size=2><B>From:</B> Stieven.Struyf@komatsu.eu
[mailto:Stieven.Struyf@komatsu.eu] <B><BR>Sent:</B> Monday, November 06, 2006
3:16 AM<B><BR>To:</B> King, Michael<B><BR>Subject:</B> Fw: freeradius and
ntlm_auth howto</FONT><FONT size=3><BR></FONT><BR><FONT face=sans-serif
size=2><BR>Michael,</FONT><FONT size=3> </FONT><FONT face=sans-serif
size=2><BR>I sent my reply already to the list, but due to the size(larger than
100k) it had to be reviewed by the admin and after a week it was
rejected.</FONT><FONT size=3> </FONT><FONT face=sans-serif size=2><BR>Below you
can find the mail. Thanks for helping me.</FONT><FONT size=3> <BR></FONT><FONT
face=sans-serif size=2><BR>Stieven Struyf<BR>M.I.S. Division - System Operations
<BR>Komatsu Europe International NV<BR>Mechelsesteenweg 586<BR>B-1800
Vilvoorde<BR>Stieven.Struyf@komatsu.eu<BR>Tel. +32 (0)2 2552551</FONT><FONT
size=3> </FONT><FONT face=sans-serif color=#800080 size=1><BR>----- Forwarded by
Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -----</FONT><FONT size=3>
</FONT>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="36%"><FONT face=sans-serif size=1><B>Stieven
Struyf/KEISA/BE/KOMEUR</B></FONT><FONT size=3> </FONT>
<P><FONT face=sans-serif size=1>11/02/2006 08:55 AM</FONT><FONT size=3>
</FONT></P>
<TD width="63%"><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="10%">
<DIV align=right><FONT face=sans-serif size=1>To</FONT></DIV>
<TD width="89%"><FONT face=sans-serif size=1>FreeRadius users
mailing list
<freeradius-users@lists.freeradius.org></FONT><FONT size=3>
</FONT>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>cc</FONT></DIV>
<TD>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>Subject</FONT></DIV>
<TD><FONT face=sans-serif size=1>RE: freeradius and ntlm_auth
howto</FONT><A
href="Notes://bent63ke/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A148B6EA233CDC125721400531414"><FONT
color=blue size=3><U>Link</U></FONT></A></TR></TBODY></TABLE><BR><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="50%">
<TD width="50%"></TR></TBODY></TABLE><BR></TR></TBODY></TABLE><BR><FONT
size=3><BR></FONT><FONT face=sans-serif size=2><BR>I added the debuglog as
attachment(as it is a little large to paste here).</FONT><FONT size=3>
</FONT><FONT face=sans-serif size=2><BR>This is the mschap config:</FONT><FONT
size=3> </FONT><FONT face=sans-serif size=2><BR>mschap {</FONT><FONT size=3>
</FONT><FONT face=sans-serif size=2><BR>
authtype = MS-CHAP</FONT><FONT size=3> </FONT><FONT
face=sans-serif size=2><BR>
use_mppe = yes</FONT><FONT size=3> </FONT><FONT face=sans-serif
size=2><BR> require_strong
= yes</FONT><FONT size=3> </FONT><FONT face=sans-serif size=2><BR>
with_ntdomain_hack = yes</FONT><FONT
size=3> </FONT><FONT face=sans-serif size=2><BR>
require_encryption = yes</FONT><FONT size=3>
</FONT><FONT face=sans-serif size=2><BR>
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"</FONT><FONT size=3> </FONT><FONT
face=sans-serif size=2><BR> }</FONT><FONT size=3>
<BR><BR></FONT><FONT face=sans-serif size=2><BR>Stieven Struyf<BR>M.I.S.
Division - System Operations <BR>Komatsu Europe International
NV<BR>Mechelsesteenweg 586<BR>B-1800
Vilvoorde<BR>Stieven.Struyf@komatsu.eu<BR>Tel. +32 (0)2 2552551</FONT><FONT
size=3> <BR></FONT><TT><FONT
size=2><BR>freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:<BR><BR>> Let's see if we can get this
solved... <BR>> <BR>> > -----Original Message-----<BR>> > Here's
the full log: <BR>> > Waking up in 6 seconds... <BR>> > rad_recv:
Access-Request packet from host 10.104.254.73:1645, <BR>> <BR>> This is
NOT the full log. The full log would have started with the line<BR>>
/path/to/radiusd -X<BR>> <BR>> Some important stuff is printed out there,
it helps us help you. <BR>> <BR>> <BR>> > rlm_mschap:
NT Domain delimeter found, should we have <BR>> > enabled
with_ntdomain_hack? <BR>> > rlm_mschap: NT Domain delimeter found,
should we have <BR>> > enabled with_ntdomain_hack? <BR>> <BR>> Did
you enable Ntdomain Hack in the MSCHAP module? (See below)<BR>>
<BR>> <BR>> Including your radius.conf file would help.<BR>> <BR>>
<BR>> > > HOWEVER, first you may want to check your mschap module
definition:<BR>> > > <BR>> > > modules {<BR>> > >
mschap {<BR>> > > ntlm_auth =
"/usr/bin/ntlm_auth \<BR>> > > --request-nt-key \<BR>> >
> --username=%{mschap:User-Name:-None} \<BR>> > >
--domain=%{mschap:NT-Domain:-None} \<BR>> > >
--challenge=%{mschap:Challenge:-00} \<BR>> > >
--nt-response=%{mschap:NT-Response:-00}"<BR>> > > <BR>> > >
...all on one line of course. Note the use of the <BR>> >
"mschap:User-Name" <BR>> > > and "mschap:NT-Domain" values.<BR>>
<BR>> Mine radiusd.conf file's mschap section looks like this:<BR>> NOTE
that I do NOT have the :-00 and the :-None statements, and I DO<BR>> have
with_ntdomain_hack=yes<BR>> <BR>> <BR>> #
Microsoft CHAP authentication<BR>> #<BR>>
# This module supports MS-CHAP and MS-CHAPv2
authentication.<BR>> # It also enforces the
SMB-Account-Ctrl attribute.<BR>> #<BR>>
mschap {<BR>>
with_ntdomain_hack = yes<BR>>
ntlm_auth = "/usr/bin/ntlm_auth \<BR>>
--request-nt-key \<BR>>
--username=%{mschap:User-Name} \<BR>>
--challenge=%{mschap:Challenge} \<BR>>
--nt-response=%{mschap:NT-Response}<BR>>
}<BR>> <BR>> <BR>> - <BR>> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html</FONT></TT> <BR></BODY></HTML>