Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=001E52805980 [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} -> --domain=MY.ACTUAL.DOMAIN [mschap] mschap1: 86 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=86acd2fc97136970 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user.
First things first. When you run this on the command line, what exactly do you get? ntlm_auth --request-nt-key \ --username=001E52805980 \ --domain=MY.ACTUAL.DOMAIN \ --challenge=86acd2fc97136970 \ --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 (You may need to run FreeRADIUS in debug mode, observe another failure, and then copy the challenge and response values from that *recent* failure in there for this to work. I don't know what the lifetime is on those values. Using the ones from hours ago may not work.) Second question is, is "request-nt-key" appropriate in this case? I only ask because I've only ever used ntlm_auth to authenticate Windows hosts directly. In this case, the wireless controller is doing the authentication, and the wireless controller is not a Windows box. Sure, it's using a set of credentials in AD, but that's not exactly the same. The *Windows* box is not doing the authentication. The *controller* is. --J