Dhiraj Gaur wrote:
I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server.
That is a common deployment, and should be easy to do.
The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an "Access-Accept". However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a "Access-Reject".
CHAP will *not* work with AD. See my web site: http://deployingradius.com/documents/protocols/compatibility.html
Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same)
You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP. Follow the instructions on my web site for configuring ntlm_auth: http://deployingradius.com/documents/configuration/active_directory.html And then follow the other instructions for getting EAP to work.
The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP. That should be all you need. Alan DeKok.