On Thu, 2009-02-19 at 11:33 +0100, tnt@kalik.net wrote:
I have news for you - you haven't done any of this:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Con...
Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no *> with_ntdomain_hack = no* }
Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
[mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Server asks about the hack.
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
And it isn't using ntlm_auth.
You have an updated manual (relevant to freeradius 2.x) at:
http://deployingradius.com/documents/configuration/active_directory.html
Ivan, thanks for pointing this out, I did not understand where do I need to configure mschap so I've just appended ntlm_auth and nt hack strings to the end of radiusd.conf, I've removed that now and updated modules/mschap file, when radius starts I can clearly see it now picks it up: Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } and it works!I authenticate My question now is, how do I login to AD using a new user that has never logged on to the box before? I'm getting an error saying domain AD unavailable, but if I use username that I used to login before 802.1x enforcement all is looking good... Thanks all for your help!