Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67, length=259 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc EAP-Message = 0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x5d8298849858ea61aec0380c81af200d NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 105 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with 46 61 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0x4661e4398678b434bf08ae113a631207 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 27 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68ff26b4cc76bf8cd9f440d0c36396981ad345' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 7 hpidm: entered hpidm_post_auth rlm_hpidm: request does not contain NAS-Port, cannot process this reply modcall[post-auth]: module "hpidm" returns ok for request 7 modcall: group Post-Auth-Type returns ok for request 7 PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81c8538 3 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 67 to 10.104.254.73:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010a00261900170301001bbea51b60bcb4566d7ef538deab44475ff7bea343dbeb8600663c15 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53366a955095f03c779d1b7ef5a01e38 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=68, length=192 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0x19198f9e13690ff3237353e66c498924 EAP-Message = 0x020a00261900170301001b723ec3fbfe48e768422325cbd73602c757a16c7c650e39a86cfcf5 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x53366a955095f03c779d1b7ef5a01e38 NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 8 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client WAP07KE port 2936 cli 0011.851a.cc37) Processing the post-auth section of radiusd.conf Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 12:26:09 PM:
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and
"mschap:NT-Domain" values. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I checked it and changed the userline value(it was stripped-username something, but without success.)