Brian Gold wrote:
We currently have an existing freeradius setup using eap-ttls/pap with an openldap backend. Up until now, our userPassword has always been SHA encoded. I've been working to add sambaNTPassword hashes so that we can use either eap-ttls/mschap or peap/mschap. I've got the nt hashes set, but I'm having some difficulty getting freeradius to successfully authenticate. Output from "radtest -t mschap username password localhost 0 secret": http://pastebin.com/FeiwwhzE
The NT hash doesn't match the supplied password.
output from "radtest -t pap username password localhost 0 secret": http://pastebin.com/tvZXqJCm
In which you've forced "Auth-Type := LDAP", which means it's ignoring the NT hash. Don't do that. Use the "smbpasswd" program supplied with FreeRADIUS to create the NT hash. Use a simple password like "test". That also means you don't need to worry about pasting it to the list. Put the password into the "users" file. Test it with PAP && MS-CHAP. CHECK TO MAKE SURE it's using the password. i.e. not LDAP. Then... delete the password from the users file, and put it into LDAP. Check also that you're not setting "Auth-Type := LDAP" You're trying to fix a problem which has a lot of pieces. Some of the pieces are configured wrong, which means it's impossible to figure out the *other* pieces. Solve one problem at a time. Alan DeKok.