On 08/10/10 14:24, Mark Holmes wrote:
and I see the server returns Access-Accept.
Firstly, don't set Auth-Type. It's almost always the wrong thing to do. Secondly, this is just testing PAP i.e. plain username/password auth. Wireless typically uses 802.1x via EAP.
I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing modules/mschap as follows
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
That looks about right.
Output from radius -X at the bottom of this message. The bit that looks relevant to me is
++[mschap] returns noop
No, you're misreading it - see below.
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = "firstname.lastname@mydomain.ox.ac.uk" [suffix] No such realm "mydomain.ox.ac.uk"
However I'm not sure I need to worry about that bit - at the moment this is just a single, stand alone RADIUS server so I'm not sure I need to worry about realms or do I?....
Not for the moment.
Not sure where to go from here - are there some basic things I should check? I haven't included my conf files in this post but happy to do so if required.
Don't post the config files. The *full* debug output (from start to failure) is what's needed. Something like: /usr/sbin/radiusd -X | tee thelog.txt EAP is a multi-pass protocol; there will be 4-8 requests, and the actual MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS tunnel is established, but before the failure is sent.
Output from -X
That's just the final packet.
[peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap
This is an EAP-PEAP, not MS-CHAP request (hence the noop) The failure occurred in an earlier packet; please post the full debug output.