Hector.Ortiz@swisscom.com wrote:
on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows:
Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better)
Windows sends both domain and username, but only the manual login succeeds.
For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it?
Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally.
I've also tried other things on the client side:
Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same.
I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :(
Well, now I have to try things on the server side.
I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help