I had this working before, and I can't figure out what I'm missing to get it working on this server. Samba Version 3.0.23b FreeRADIUS version 1.0.4 Users successfully authenticate with the domain, Machine accounts do not however. My ntlm_auth line is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" I have: with_ntdomain_hack = yes in the mschap section. The debug is below The only thing that looks different than last time is it looks like the host/ isn't getting stripped off. Should it? rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171, length=324 User-Name = "host/boytel2883.campus.bridgew.edu" Calling-Station-Id = "00-90-96-F4-2A-BB" Called-Station-Id = "00-0B-85-5B-55-A0:test" NAS-Port = 29 NAS-IP-Address = 10.0.1.22 NAS-Identifier = "BUWISM2-2" Vendor-14179-Attr-1 = 0x00000007 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4000" EAP-Message = 0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be3955 bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc817970b8 7e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5e5c322 df88f7fd45aa24e13f State = 0xdfdc87766140b541e2ac318d7ce82e0f Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 7 length 116 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu PEAP: Adding old state with f4 4b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 7 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 19 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/boytel2883.campus.bridgew.edu with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c4 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 19 modcall: group Auth-Type returns reject for request 19 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 19 modcall: group authenticate returns reject for request 19 auth: Failed to validate the user. Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 19 modcall: group authenticate returns handled for request 19 Sending Access-Challenge of id 171 to 10.0.1.22:32769 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010800261900170301001b117712344a946d2ec4a5810ca84e7e8d679cd4db81a9d3ba 62f02c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xda9104a0e99cbf878c499197750025dd Finished request 19 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.0.1.22:32769, id=172, length=246 User-Name = "host/boytel2883.campus.bridgew.edu" Calling-Station-Id = "00-90-96-F4-2A-BB" Called-Station-Id = "00-0B-85-5B-55-A0:test" NAS-Port = 29 NAS-IP-Address = 10.0.1.22 NAS-Identifier = "BUWISM2-2" Vendor-14179-Attr-1 = 0x00000007 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4000" EAP-Message = 0x020800261900170301001b8391b7780fd0e65e7da0ff923b9c0239457f612ac17c7904 4626be State = 0xda9104a0e99cbf878c499197750025dd Message-Authenticator = 0x58d7a64496d15d4c60e90495b86ab1db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 modcall[authorize]: module "preprocess" returns ok for request 20 modcall[authorize]: module "chap" returns noop for request 20 modcall[authorize]: module "mschap" returns noop for request 20 rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 20 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 20 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 20 modcall: group authorize returns updated for request 20 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 20 modcall: group authenticate returns invalid for request 20 auth: Failed to validate the user. Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client BUWiSM-2-2 port 29 cli 00-90-96-F4-2A-BB) Delaying request 20 for 1 seconds Finished request 20