hi Fajar
I did read the replies as well as Alan's page. Being a newbie to FR i actually started with that only.

On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <list@fajar.net> wrote:
Did you REALLY read the replies sent to this list?
Did you REALLY read Alan's page,
http://deployingradius.com/documents/configuration/active_directory.html
to the end?


The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. Have tried upgrading the package but its already in the latest version.
 
If yes, you'd know that:
- radtest can send mschap request as well (see 'radtest -h')

The only changes I have done to default config is in the inner tunnel or default file. Attaching the same if you may have a look. I have never blamed Alan that his recipe is flawed.
 
- Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
contains detailed instruction on how to make FR works with AD and pap.
If you can't get it to work, that means you're doing something wrong.
Probably editing some entries you shouldn't, since your ntlm_auth
result is OK (which means samba + AD part is working correctly). It's
perfectly fine to be creative and edit the config file as you see fit,
but ONLY if you know what you're doing. If you're given a recipe, and
choose to stray from it, and messed up, don't blame the guy who
created the recipe.

The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works.
 
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to
use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
your question, but ONLY if you already got pap working properly.
 

Attaching the inner tunnel and default file, please go through the same and point out if something is amiss.....

Default File
------------------------------------------------------------------------------
authorize {
    preprocess

#    auth_log
    chap
    mschap
#    digest
#    wimax
#    IPASS
    suffix
#    ntdomain
    eap {
        ok = return
    }
#    unix
#    files
#    sql
    ntlm_auth
#    etc_smbpasswd
#    ldap
#    checkval
    expiration
    logintime
    pap
    #if(!control:Auth-Type) {
        #update control {
        #    Auth-Type = "ntlm_auth"
        #}
    #}
#    Autz-Type Status-Server {
#
#    }
}

authenticate {
    Auth-Type NTLM_AUTH {
    ntlm_auth
    }
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
#    digest

#    pam
#    unix
#    Auth-Type LDAP {
#        ldap
#    }
    eap
#    Auth-Type eap {
#        eap {
#            handled = 1 
#        }
#        if (handled && (Response-Packet-Type == Access-Challenge)) {
#            attr_filter.access_challenge.post-auth
#            handled  # override the "updated" code from attr_filter
#        }
#    }
}

INNER TUNNEL FILE
--------------------------------------------------
server inner-tunnel {

#listen {
#       ipaddr = 127.0.0.1
#       port = 18120
#       type = auth
#}

authorize {
    chap
    mschap
#    unix
#    IPASS
    suffix
#    ntdomain
    update control {
           Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    files
    #sql
    ntlm_auth
#    etc_smbpasswd
#    ldap
#    daily
#    checkval
    expiration
    logintime
    pap
}


authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
#    pam
    ntlm_auth
#    unix
#    Auth-Type LDAP {
#        ldap
#    }
    eap
}



--
Regards

Dhiraj Gaur