Cory Johnson wrote:
When I try to log into the VPN from a Windows client, I get the error message: "Error 691: Access was denied because the user name and/or password was invalid on the domain.", but radius logs show "Access-Accept".
You misconfigured the server, and broke it.
My major difference is that I am using a LDAP backend which contains NT passwords (it is also the LDAP backend for my samba server).
It's not using the NT Passwords. See the debug log.
Tried fiddling with mppe and encryption settings in the mschap module, but always get the same results.
The issue isn't the mschap module. It's elsewhere.
"freeradius -X" debug below, as always any reply would be great.
rad_recv: Access-Request packet from host 192.168.1.55 port 43210, id=116, length=166 NAS-Identifier = "pfsense.local" NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "192.168.1.153" User-Name = "cjohnson" MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f MS-CHAP2-Response = 0x0100991b81f3bbq3859d8qa75ae826662d8600000000000000009584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2 ... Found Auth-Type = Accept Auth-Type = Accept, accepting the user
You have configured the server to *force* Auth-Type. Don't do that. The "Auth-Type := Accept" forces the server to *not* do MS-CHAP authentication. The client sees that the required MS-CHAP data is missing from the response, and concludes that the server is broken, or lying to it. Alan DeKok.