Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. ________________________________ From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM ----- Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howtoLink <Notes://BENT63KE/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A 148B6EA233CDC125721400531414> I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM: > Let's see if we can get this solved... > > > -----Original Message----- > > Here's the full log: > > Waking up in 6 seconds... > > rad_recv: Access-Request packet from host 10.104.254.73:1645, > > This is NOT the full log. The full log would have started with the line > /path/to/radiusd -X > > Some important stuff is printed out there, it helps us help you. > > > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > Did you enable Ntdomain Hack in the MSCHAP module? (See below) > > > Including your radius.conf file would help. > > > > > HOWEVER, first you may want to check your mschap module definition: > > > > > > modules { > > > mschap { > > > ntlm_auth = "/usr/bin/ntlm_auth \ > > > --request-nt-key \ > > > --username=%{mschap:User-Name:-None} \ > > > --domain=%{mschap:NT-Domain:-None} \ > > > --challenge=%{mschap:Challenge:-00} \ > > > --nt-response=%{mschap:NT-Response:-00}" > > > > > > ...all on one line of course. Note the use of the > > "mschap:User-Name" > > > and "mschap:NT-Domain" values. > > Mine radiusd.conf file's mschap section looks like this: > NOTE that I do NOT have the :-00 and the :-None statements, and I DO > have with_ntdomain_hack=yes > > > # Microsoft CHAP authentication > # > # This module supports MS-CHAP and MS-CHAPv2 authentication. > # It also enforces the SMB-Account-Ctrl attribute. > # > mschap { > with_ntdomain_hack = yes > ntlm_auth = "/usr/bin/ntlm_auth \ > --request-nt-key \ > --username=%{mschap:User-Name} \ > --challenge=%{mschap:Challenge} \ > --nt-response=%{mschap:NT-Response} > } > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html