<br><font size=2 face="sans-serif">I finally managed to filter out the
last issues with my setup. When i have more time i will post a small howto
that worked for me.</font>
<br><font size=2 face="sans-serif">Although people on the list told me
that there are plenty guides already, i couldn't find one that worked.</font>
<br>
<br><font size=2 face="sans-serif">Thanks everyone for all hints that helped
me.</font>
<br>
<br><font size=2 face="sans-serif">Stieven Struyf<br>
M.I.S. Division - System Operations <br>
Komatsu Europe International NV<br>
Mechelsesteenweg 586<br>
B-1800 Vilvoorde<br>
Stieven.Struyf@komatsu.eu<br>
Tel. +32 (0)2 2552551</font>
<br>
<br><tt><font size=2>freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 11/06/2006 04:36:25 PM:<br>
<br>
> Actually this is the exact same problem I have. I need to type my
<br>
> credentials in for authentication to work. If I let windows do it,
I<br>
> won't get in. </font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> If any of you could please help us out with this
issue, that'd be great</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> Cheers</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> Héctor</font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> </font></tt>
<br><tt><font size=2>> <br>
> Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.<br>
> freeradius.org [mailto:freeradius-users-bounces+hector.<br>
> ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Stieven.<br>
> Struyf@komatsu.eu<br>
> Gesendet: Montag, 6. November 2006 16:17<br>
> An: King, Michael<br>
> Cc: freeradius-users@lists.freeradius.org<br>
> Betreff: RE: freeradius and ntlm_auth howto<br>
</font></tt>
<br><tt><font size=2>> <br>
> michael, <br>
> The configuration works when i type in my username as <br>
> 'username@domain', when i let windows fill it in i don't get in. <br>
> My password gets locked after 3 attempts, and the wifi retries <br>
> several times. If you look higher in the file you will see another
<br>
> error:(logon failure) <br>
> <br>
> It works with the standard certs, so for finding a good working <br>
> configuration this is ok for now. Obviously i will change this for
production.<br>
> <br>
> Stieven Struyf<br>
> M.I.S. Division - System Operations <br>
> Komatsu Europe International NV<br>
> Mechelsesteenweg 586<br>
> B-1800 Vilvoorde<br>
> Stieven.Struyf@komatsu.eu<br>
> Tel. +32 (0)2 2552551 <br>
> <br>
</font></tt>
<br><tt><font size=2>> <br>
> "King, Michael" <MKing@bridgew.edu> </font></tt>
<br><tt><font size=2>> 11/06/2006 04:04 PM </font></tt>
<br><tt><font size=2>> <br>
> To</font></tt>
<br><tt><font size=2>> <br>
> <Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing
list" <br>
> <freeradius-users@lists.freeradius.org> </font></tt>
<br><tt><font size=2>> <br>
> cc</font></tt>
<br><tt><font size=2>> <br>
> Subject</font></tt>
<br><tt><font size=2>> <br>
> RE: freeradius and ntlm_auth howto</font></tt>
<br><tt><font size=2>> <br>
> <br>
> <br>
> <br>
> Some things I've noticed from your attached files <br>
> <br>
> Module: Loaded MS-CHAP <br>
> mschap: use_mppe = yes<br>
> mschap: require_encryption = yes<br>
> mschap: require_strong = yes <br>
> <br>
> I've never enabled these before, I'm unaware what affect they will
have <br>
> <br>
> <br>
> tls: pem_file_type = yes<br>
> tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"<br>
> tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"<br>
> tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"<br>
> tls: private_key_password = "whatever"<br>
> tls: dh_file = "/etc/raddb/certs/dh"<br>
> tls: random_file = "/etc/raddb/certs/random" <br>
> <br>
> Did you generate your OWN certs... They one's that ship with
the <br>
> server ARE NOT vailid. You have to generate your own. <br>
> <br>
> rlm_eap: Loaded and initialized type peap<br>
> mschapv2: with_ntdomain_hack = no<br>
> rlm_eap: Loaded and initialized type mschapv2 <br>
> <br>
> That doesn't look right <br>
> <br>
> <br>
> <br>
> BUT YOUR FINAL ANSWER: <br>
> <br>
> <br>
> xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
<br>
> --challenge=b9ee04ca891c7b7d --nt-<br>
> response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0<br>
> Exec-Program output: Account locked out (0xc0000234) <br>
> Exec-Program-Wait: plaintext: Account locked out (0xc0000234) <br>
> Exec-Program: returned: 1<br>
> rlm_mschap: External script failed.<br>
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect <br>
> <br>
> <br>
> Your account in the domain is not correct. <br>
> <br>
> Looks like it's been disabled or something. <br>
> <br>
> Fix that first before you change anymore config files. <br>
> <br>
> From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu]
<br>
> Sent: Monday, November 06, 2006 3:16 AM<br>
> To: King, Michael<br>
> Subject: Fw: freeradius and ntlm_auth howto<br>
> <br>
> <br>
> Michael, <br>
> I sent my reply already to the list, but due to the size(larger than<br>
> 100k) it had to be reviewed by the admin and after a week it was rejected.
<br>
> Below you can find the mail. Thanks for helping me. <br>
> <br>
> Stieven Struyf<br>
> M.I.S. Division - System Operations <br>
> Komatsu Europe International NV<br>
> Mechelsesteenweg 586<br>
> B-1800 Vilvoorde<br>
> Stieven.Struyf@komatsu.eu<br>
> Tel. +32 (0)2 2552551 <br>
> ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13
AM -----</font></tt>
<br><tt><font size=2>> <br>
> Stieven Struyf/KEISA/BE/KOMEUR </font></tt>
<br><tt><font size=2>> 11/02/2006 08:55 AM </font></tt>
<br><tt><font size=2>> <br>
> To</font></tt>
<br><tt><font size=2>> <br>
> FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
</font></tt>
<br><tt><font size=2>> <br>
> cc</font></tt>
<br><tt><font size=2>> <br>
> Subject</font></tt>
<br><tt><font size=2>> <br>
> RE: freeradius and ntlm_auth howtoLink</font></tt>
<br><tt><font size=2>> <br>
> <br>
</font></tt>
<br><tt><font size=2>> <br>
> <br>
> <br>
> <br>
> I added the debuglog as attachment(as it is a little large to paste
here). <br>
> This is the mschap config: <br>
> mschap { <br>
> authtype =
MS-CHAP <br>
> use_mppe =
yes <br>
> require_strong
= yes <br>
> with_ntdomain_hack
= yes <br>
> require_encryption
= yes <br>
> ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key --<br>
> username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-<br>
> response=%{mschap:NT-Response}" <br>
> } <br>
> <br>
> <br>
> Stieven Struyf<br>
> M.I.S. Division - System Operations <br>
> Komatsu Europe International NV<br>
> Mechelsesteenweg 586<br>
> B-1800 Vilvoorde<br>
> Stieven.Struyf@komatsu.eu<br>
> Tel. +32 (0)2 2552551 <br>
> <br>
> freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.<br>
> org wrote on 10/27/2006 04:36:00 PM:<br>
> <br>
> > Let's see if we can get this solved... <br>
> > <br>
> > > -----Original Message-----<br>
> > > Here's the full log: <br>
> > > Waking up in 6 seconds... <br>
> > > rad_recv: Access-Request packet from host 10.104.254.73:1645,
<br>
> > <br>
> > This is NOT the full log. The full log would have started
with the line<br>
> > /path/to/radiusd -X<br>
> > <br>
> > Some important stuff is printed out there, it helps us help you.
<br>
> > <br>
> > <br>
> > > rlm_mschap: NT Domain delimeter found, should we
have <br>
> > > enabled with_ntdomain_hack? <br>
> > > rlm_mschap: NT Domain delimeter found, should we
have <br>
> > > enabled with_ntdomain_hack? <br>
> > <br>
> > Did you enable Ntdomain Hack in the MSCHAP module? (See
below)<br>
> > <br>
> > <br>
> > Including your radius.conf file would help.<br>
> > <br>
> > <br>
> > > > HOWEVER, first you may want to check your mschap module
definition:<br>
> > > > <br>
> > > > modules {<br>
> > > > mschap {<br>
> > > > ntlm_auth = "/usr/bin/ntlm_auth
\<br>
> > > > --request-nt-key \<br>
> > > > --username=%{mschap:User-Name:-None} \<br>
> > > > --domain=%{mschap:NT-Domain:-None} \<br>
> > > > --challenge=%{mschap:Challenge:-00} \<br>
> > > > --nt-response=%{mschap:NT-Response:-00}"<br>
> > > > <br>
> > > > ...all on one line of course. Note the use of the <br>
> > > "mschap:User-Name" <br>
> > > > and "mschap:NT-Domain" values.<br>
> > <br>
> > Mine radiusd.conf file's mschap section looks like this:<br>
> > NOTE that I do NOT have the :-00 and the :-None statements, and
I DO<br>
> > have with_ntdomain_hack=yes<br>
> > <br>
> > <br>
> > # Microsoft CHAP authentication<br>
> > #<br>
> > # This module supports MS-CHAP
and MS-CHAPv2 authentication.<br>
> > # It also enforces the SMB-Account-Ctrl
attribute.<br>
> > #<br>
> > mschap {<br>
> > with_ntdomain_hack
= yes<br>
> > ntlm_auth = "/usr/bin/ntlm_auth
\<br>
> > --request-nt-key \<br>
> > --username=%{mschap:User-Name}
\<br>
> > --challenge=%{mschap:Challenge}
\<br>
> > --nt-response=%{mschap:NT-Response}<br>
> > }<br>
> > <br>
> > <br>
> > - <br>
> > List info/subscribe/unsubscribe? See http://www.freeradius.<br>
> org/list/users.html - <br>
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</font></tt>