<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div><br>Yes it works with an entry in the user file<br><br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] +- entering group MS-CHAP {...}<br>[mschap] Told to do MS-CHAPv2 for s.hotz with NT-Password<br>[mschap] adding MS-CHAPv2 MPPE keys<br>++[mschap] returns ok<br>MSCHAP Success<br>++[eap] returns handled<br><br>It works as well if I try it with the ntlm command from the radius server<br><br>/usr/bin/ntlm_auth --request-nt-key --domain=domain--username=s.hotz<br><br>So is my guess correct that I have to investigate further in the ntlm_auth command in the mschap module?<br>I have tried different parameters. Right now it looks like:<br><br>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br> <br><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">Von:</span></b> Ivan Kalik <tnt@kalik.net><br><b><span style="font-weight: bold;">An:</span></b> FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br><b><span style="font-weight: bold;">Gesendet:</span></b> Donnerstag, den 17. September 2009, 19:30:15 Uhr<br><b><span style="font-weight: bold;">Betreff:</span></b> Re: AW: Authentication with eap/mschapv2<br></font><br>> I have tried now both with or without encryption<br>><br>> Module: Instantiating mschap<br>> mschap {<br>>
use_mppe = yes<br>> require_encryption = no<br>> require_strong = no<br>> with_ntdomain_hack = yes<br>><br>> unfortunately the result is still the same<br>><br>> Found Auth-Type = EAP<br>> +- entering group authenticate {....}<br>> [eap] Request found, released from the list<br>> [eap] EAP/mschapv2<br>> [eap] processing type mschapv2<br>> rlm_eap_mschapv2: Invalid response type 4<br>> [eap] Handler failed in EAP/mschapv2<br>> [eap] Failed in EAP select<br>> ++[eap] returns invalid<br>> Failed to authenticate the user.<br>><br>> Does it make sense to enable the encryption for mschap since the eap<br>> tunnel (as far I have understood) is the whole way from the client to the<br>> radius server.<br><br>MPPE is encrypting connection between the user and NAS. Nothing to do with<br>authentication
encryption.<br><br>Does PEAP work for username/pass in users file? Comment out ntlm_auth<br>line in mschap module and see if authentication can complete like that.<br><br>Ivan Kalik<br>Kalik Informatika ISP<br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></div></div></div><br>
</body></html>