HI Alan Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says "Start the server and use a test client to send an MS-CHAP authentication request. The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above." Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand "There's no User-Password in MS-CHAP." Regards Dhiraj Gaur On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok <aland@deployingradius.com>wrote:
Dhiraj Gaur wrote:
I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server.
That is a common deployment, and should be easy to do.
The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject".
CHAP will *not* work with AD. See my web site:
http://deployingradius.com/documents/protocols/compatibility.html
Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same)
You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP.
Follow the instructions on my web site for configuring ntlm_auth:
http://deployingradius.com/documents/configuration/active_directory.html
And then follow the other instructions for getting EAP to work.
The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP. That should be all you need.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards Dhiraj Gaur