On Apr 3, 2023, at 11:43 AM, Tim ODriscoll <tim.odriscoll@lambrookschool.co.uk> wrote:
And with mschap: radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123 (1) authenticate { (1) mschap: Client is using MS-CHAPv1 with NT-Password (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (1) mschap: --> --username=tim.odriscoll (1) mschap: mschap1: 84 (1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (1) mschap: --> --challenge=84b5ae5ac964eb2c (1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (1) mschap: --> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091 (1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (1) mschap: External script failed (1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (1) mschap: ERROR: MS-CHAP2-Response is incorrect (1) [mschap] = reject
I will try and dig out the samba logs..
That's the best bet. We know FR is doing the various NT hash calculations correctly. And passing that to ntlm_auth. My only remaining guess here is that Samba / AD isn't permitting ntlm / mschap authentication. Alan DeKok.