Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why does >it fail? ...
I see now why this was failing. Client was doing non-MSCHAP and there was no section telling RADIUS how to authenticate this type of request.
Config:
users:
DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes
Write a hundred times on the blackboard: "I will not set Auth-Type." The server will figure out itself what to >do. In this case, PAP.
Duly removed. I inherited the config and assumed it had been added for good reason. It works without so it has been removed.
If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module?
You configure your AD server in the ldap {} section and uncomment the ldap stanzas in authorize and >authenticate. You don't call ntlm_auth then, and that is because you don't need ntlm_auth - user authentication >is done with an LDAP bind() operation with the user credentials.
With some pain, I now have the LDAP to AD authentication working. I have not tested *all* methods, but the ones I am interested in supporting seem to work. EAP-MD5 fails, but that is an exercise for another day if I feel I need to fix it.
Greetings,
Stefan Winter
Thanks for your help. You pointed me in the right direction which was all I needed really. --------------- Barry Dean Networks Team