* Also read the top of sites-available/inner-tunnel and test it via radclient, using MS-CHAP.
Thank you, Alan - I hadn't tried that yet: It seems my ldap authentication is working, but not the mschap: # radtest tim.odriscoll MYPASSWD localhost 10 testing123 (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { rlm_ldap (ldap): Reserved connection (2) (0) ldap: Login attempt by "tim.odriscoll" (0) ldap: Using user DN from request "CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk" (0) ldap: Waiting for bind result... (0) ldap: Bind successful (0) ldap: Bind as user "CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk" was successful rlm_ldap (ldap): Released connection (2) (0) [ldap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36 (0) Tunnel-Type = VLAN (0) Tunnel-Medium-Type = IEEE-802 (0) Tunnel-Private-Group-Id = "30" (0) Finished request And with mschap: radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123 (1) authenticate { (1) mschap: Client is using MS-CHAPv1 with NT-Password (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (1) mschap: --> --username=tim.odriscoll (1) mschap: mschap1: 84 (1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (1) mschap: --> --challenge=84b5ae5ac964eb2c (1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (1) mschap: --> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091 (1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (1) mschap: External script failed (1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (1) mschap: ERROR: MS-CHAP2-Response is incorrect (1) [mschap] = reject I will try and dig out the samba logs.. Many thanks, Tim