Hi, I have a strange problem. I try to authenticate users againts AD, it's seems to be a typical deployment of freeradius. But it's works randomly. When it's don't works , the mschap/NTLM auth success, the server send a access-challenge, I see on the cisco aironet the access-challenge come back to the client and no reply from the client and the connection stucks: +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/MRSLAP03571.domain.priv with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=MRSLAP03571$ expand: %{mschap:NT-Domain} -> DOMAIN expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN} -> --domain=DOMAIN mschap2: 60 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=923aaffd82c69093 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=a7e9503bed0bfedf055e9e32e241e391ccb0dd649fe09bbe Exec-Program output: NT_KEY: 2254EC3D1B726196286DA65965D5D411 Exec-Program-Wait: plaintext: NT_KEY: 2254EC3D1B726196286DA65965D5D411 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe713faa1e618e0bc40c4047c03951291 PEAP: Processing from tunneled session code 0x1e9e490 11 EAP-Message = 0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe713faa1e618e0bc40c4047c03951291 PEAP: Got tunneled Access-Challenge ++[eap] returns handled } # server inner-tunnel Sending Access-Challenge of id 103 to <AIRONET CISCO> port 1645 EAP-Message = 0x010b004a1900170301003fd5c3f845006343c8072ae98874a3df6bc8c3594e045b31fe7220a5c44b269eac3e3cdf6f48de5d3066feeb70a8f1d958e6b25c5f7ead1fa5c9064b89cc24a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5d184007551359eef79a3370536543a0 Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 95 with timestamp +56 Cleaning up request 1 ID 96 with timestamp +56 Cleaning up request 2 ID 97 with timestamp +56 I have already checked the XP extension is present on the certificate server: extendedKeyUsage = 1.3.6.1.5.5.7.3.1 ################################################## # # !!!!! WARNINGS for Windows compatibility !!!!! # ################################################## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en- I use : freeradius 2.0.4 samba 3.2.5 cisco aironet 1240 I have tried other version of samba: 3.2.15 and 3.4.8 and freeradius 2.1.8 The samba / winbbind stuff seems to work correctly ( Tests wbinfo, ntlm_auth OK) I have the same issue with other XP / windows 7 supplicants. I think I have checked correctly the howto: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I don't think I'm the first with the same problem so please help me before I'm going crazy :) Thanks a lot for any information.