Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why does it fail? ...
Config:
users:
DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes
Write a hundred times on the blackboard: "I will not set Auth-Type." The server will figure out itself what to do. In this case, PAP.
If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module?
You configure your AD server in the ldap {} section and uncomment the ldap stanzas in authorize and authenticate. You don't call ntlm_auth then, and that is because you don't need ntlm_auth - user authentication is done with an LDAP bind() operation with the user credentials. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473