I have FreeRADIUS setup do LDAP authentication against AD
and also PEAP which ultimately uses ntlm_auth against AD. Both work fine
for the most part except some users that I have started to add to the PEAP
enabled wireless network. If I connect to this network, I authenticate
fine. If one of these other accounts connects, the authentication fails
for some reason. Here are the entries from the radius.log file:
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1]
(from client WLANCTRLR1 port 0)
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1]
(from client WLANCTRLR1 port 1 cli 00-0E-35-6F-A3-7D)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap:
User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from
client WLANCTRLR1 port 0)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via
Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect (rlm_ldap:
User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from
client WLANCTRLR1 port 0)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via
Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1]
(from client WLANCTRLR1 port 0)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1]
(from client WLANCTRLR1 port 2 cli 00-0E-35-6F-A3-7D)
If I try the samba authentication from a command line on the
FreeRADIUS server, it completes successfully:
[root@RADIUS1 raddb]# /usr/local/samba/bin/wbinfo -a nonworkinguser%testpassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
If I test authentication of the user using radtest, it works
fine and is able to find the user:
[root@RADIUS2 ~]# radtest nonworkinguser testpassword 10.1.1.1
1 testing123
Sending Access-Request of id 221 to 10.1.1.1 port 1812
User-Name =
"nonworkinguser"
User-Password =
"testpassword"
NAS-IP-Address =
127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 10.1.1.1 port 1812,
id=221, length=20
What I believe to be the relevant part of the radiusd –X
output is:
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured.
Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured.
Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for nonworkinguser
with NT-Password
expand:
--username=%{mschap:User-Name} -> --username=nonworkinguser
mschap2: 85
expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=3c2921ed60ab0f28
expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=9b2c345dd9585a0b79b19cd2fe360474a737271903b6989c
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via
Auth-Type = EAP>] (from client WLANCTRLR1 port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Anyone have any ideas as to what the problem might be?