<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Some things I've noticed from your attached
files</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Module: Loaded MS-CHAP <BR> mschap: use_mppe =
yes<BR> mschap: require_encryption = yes<BR> mschap: require_strong =
yes</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>I've never enabled these before, I'm unaware what
affect they will have</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>tls: pem_file_type = yes<BR> tls: private_key_file
= "/etc/raddb/certs/cert-srv.pem"<BR> tls: certificate_file =
"/etc/raddb/certs/cert-srv.pem"<BR> tls: CA_file =
"/etc/raddb/certs/demoCA/cacert.pem"<BR> tls: private_key_password =
"whatever"<BR> tls: dh_file = "/etc/raddb/certs/dh"<BR> tls:
random_file = "/etc/raddb/certs/random"</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Did you generate your OWN certs... They one's
that ship with the server ARE NOT vailid. You have to generate your
own.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>rlm_eap: Loaded and initialized type
peap<BR> mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and
initialized type mschapv2</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>That doesn't look right</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>BUT YOUR FINAL ANSWER:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>xec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=sstruyf --challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0<BR>Exec-Program
output: Account locked out (0xc0000234) <BR>Exec-Program-Wait: plaintext:
Account locked out (0xc0000234) <BR>Exec-Program: returned: 1<BR>
rlm_mschap: External script failed.<BR> rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Your account in the domain is not
correct.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Looks like it's been disabled or
something.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=946402914-06112006>Fix that first before you change anymore config
files.</SPAN></FONT></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Stieven.Struyf@komatsu.eu
[mailto:Stieven.Struyf@komatsu.eu] <BR><B>Sent:</B> Monday, November 06, 2006
3:16 AM<BR><B>To:</B> King, Michael<BR><B>Subject:</B> Fw: freeradius and
ntlm_auth howto<BR></FONT><BR></DIV>
<DIV></DIV><BR><FONT face=sans-serif size=2>Michael,</FONT> <BR><FONT
face=sans-serif size=2>I sent my reply already to the list, but due to the
size(larger than 100k) it had to be reviewed by the admin and after a week it
was rejected.</FONT> <BR><FONT face=sans-serif size=2>Below you can find the
mail. Thanks for helping me.</FONT> <BR><BR><FONT face=sans-serif
size=2>Stieven Struyf<BR>M.I.S. Division - System Operations <BR>Komatsu
Europe International NV<BR>Mechelsesteenweg 586<BR>B-1800
Vilvoorde<BR>Stieven.Struyf@komatsu.eu<BR>Tel. +32 (0)2 2552551</FONT>
<BR><FONT face=sans-serif color=#800080 size=1>----- Forwarded by Stieven
Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -----</FONT> <BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="40%"><FONT face=sans-serif size=1><B>Stieven
Struyf/KEISA/BE/KOMEUR</B></FONT>
<P><FONT face=sans-serif size=1>11/02/2006 08:55 AM</FONT> </P>
<TD width="59%">
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>To</FONT></DIV>
<TD><FONT face=sans-serif size=1>FreeRadius users mailing list
<freeradius-users@lists.freeradius.org></FONT>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>cc</FONT></DIV>
<TD>
<TR vAlign=top>
<TD>
<DIV align=right><FONT face=sans-serif size=1>Subject</FONT></DIV>
<TD><FONT face=sans-serif size=1>RE: freeradius and ntlm_auth
howto</FONT><A
href="Notes://BENT63KE/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A148B6EA233CDC125721400531414">Link</A></TR></TBODY></TABLE><BR>
<TABLE>
<TBODY>
<TR vAlign=top>
<TD>
<TD></TR></TBODY></TABLE><BR></TR></TBODY></TABLE><BR><BR><FONT
face=sans-serif size=2>I added the debuglog as attachment(as it is a little
large to paste here).</FONT> <BR><FONT face=sans-serif size=2>This is the
mschap config:</FONT> <BR><FONT face=sans-serif size=2> mschap {</FONT>
<BR><FONT face=sans-serif size=2>
authtype = MS-CHAP</FONT> <BR><FONT face=sans-serif
size=2> use_mppe =
yes</FONT> <BR><FONT face=sans-serif size=2>
require_strong = yes</FONT> <BR><FONT face=sans-serif
size=2>
with_ntdomain_hack = yes</FONT> <BR><FONT face=sans-serif size=2>
require_encryption = yes</FONT>
<BR><FONT face=sans-serif size=2>
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"</FONT> <BR><FONT face=sans-serif
size=2> }</FONT> <BR><BR><BR><FONT face=sans-serif
size=2>Stieven Struyf<BR>M.I.S. Division - System Operations <BR>Komatsu
Europe International NV<BR>Mechelsesteenweg 586<BR>B-1800
Vilvoorde<BR>Stieven.Struyf@komatsu.eu<BR>Tel. +32 (0)2 2552551</FONT>
<BR><BR><TT><FONT
size=2>freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:<BR><BR>> Let's see if we can get this
solved... <BR>> <BR>> > -----Original Message-----<BR>> >
Here's the full log: <BR>> > Waking up in 6 seconds... <BR>> >
rad_recv: Access-Request packet from host 10.104.254.73:1645, <BR>>
<BR>> This is NOT the full log. The full log would have started with
the line<BR>> /path/to/radiusd -X<BR>> <BR>> Some important stuff is
printed out there, it helps us help you. <BR>> <BR>> <BR>> >
rlm_mschap: NT Domain delimeter found, should we have <BR>> >
enabled with_ntdomain_hack? <BR>> > rlm_mschap: NT Domain
delimeter found, should we have <BR>> > enabled with_ntdomain_hack?
<BR>> <BR>> Did you enable Ntdomain Hack in the MSCHAP module?
(See below)<BR>> <BR>> <BR>> Including your radius.conf file
would help.<BR>> <BR>> <BR>> > > HOWEVER, first you may want to
check your mschap module definition:<BR>> > > <BR>> > >
modules {<BR>> > > mschap {<BR>> > >
ntlm_auth = "/usr/bin/ntlm_auth \<BR>> > >
--request-nt-key \<BR>> > >
--username=%{mschap:User-Name:-None} \<BR>> > >
--domain=%{mschap:NT-Domain:-None} \<BR>> > >
--challenge=%{mschap:Challenge:-00} \<BR>> > >
--nt-response=%{mschap:NT-Response:-00}"<BR>> > > <BR>> > >
...all on one line of course. Note the use of the <BR>> >
"mschap:User-Name" <BR>> > > and "mschap:NT-Domain" values.<BR>>
<BR>> Mine radiusd.conf file's mschap section looks like this:<BR>> NOTE
that I do NOT have the :-00 and the :-None statements, and I DO<BR>> have
with_ntdomain_hack=yes<BR>> <BR>> <BR>> #
Microsoft CHAP authentication<BR>> #<BR>>
# This module supports MS-CHAP and MS-CHAPv2
authentication.<BR>> # It also enforces
the SMB-Account-Ctrl attribute.<BR>> #<BR>>
mschap {<BR>>
with_ntdomain_hack = yes<BR>>
ntlm_auth = "/usr/bin/ntlm_auth \<BR>>
--request-nt-key \<BR>>
--username=%{mschap:User-Name} \<BR>>
--challenge=%{mschap:Challenge} \<BR>>
--nt-response=%{mschap:NT-Response}<BR>>
}<BR>> <BR>> <BR>> - <BR>> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html<BR></BLOCKQUOTE></FONT></TT></BODY></HTML>