Hi I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the ntlm_auth portion is causing me some issues. As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and AD. My AD is a Samba 4 server, Samba is configured & working and the freeradius server has been joined to the domain. root@radius:~# wbinfo -u administrator foo guest krbtgt ntlm_auth on the command line works OK : root@radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx NT_STATUS_OK: The operation completed successfully. (0x0) I've followed a couple of guidelines specific for this setup (with UniFi) but none of them appear to work, neither with winbind nor ntlm_auth as method within freeradius. I'm currently using this in my mods-available/mschap file : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" with_ntdomain_hack = yes When I run radtest from CLI I get this : *root@radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123 Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136 User-Name = "BAR\\foo" MS-CHAP-Password = "xxx" NAS-IP-Address = 192.168.10.8 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "xxx" MS-CHAP-Challenge = 0xa822149a03011b15 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" (0) -: Expected Access-Accept got Access-Reject On the radius debug log I get this : (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=BAR\\foo (0) mschap: EXPAND --domain=%{mschap:NT-Domain} (0) mschap: --> --domain=BAR (0) mschap: mschap1: a8 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=a822149a03011b15 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> BAR\\foo (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 245 with timestamp +25 due to cleanup_delay was reached Ready to process requests So my guess is that my ntlm_auth line is not correct, or I missed some other parameter somewhere, but I've tried quite a few options so far, and they seem to all fail. Any suggestions ? I did see some recommending using winbind instead of ntlm_auth, but I wanted to control access via group membership and it seems that is not an option with winbind. If anyone has a working example of what I'm trying to do (UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far are not working. /Jesper