On Sep 2, 2018, at 5:54 AM, Jürgen Obermeyer <om@oegym.de> wrote:
Something is very wrong with the Samba / AD infrastructure if MS-CHAP doesn't work.
I think the problem is in my freeradius config.
If you send MS-CHAP data to Samba, and it says "no", then the issue is on the Samba side. FreeRADIUS does MS-CHAP correctly, and has done so for about 20 years...
Now I'm testing to connect a wireless client with eap-ttls, but it's not working, too. 'radtest' is always successfull, but I can't connect any wireless client.
The debug output shows what's going on.
... /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x849ba7b1849aa33e (6) eap: Finished EAP session with state 0x849ba7b1849aa33e (6) eap: Previous EAP request found for state 0x849ba7b1849aa33e, released from the list (6) eap: Peer sent packet with method EAP MD5 (4) (6) eap: Calling submodule eap_md5 to process data (6) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (6) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
That is pretty clear. You can't do EAP-MD5 and Kerberos. You MUST configured TTLS with PAP inside of the tunnel. NOT EAP-MD5. Alan DeKok.