On Feb 24, 2015, at 8:47 AM, Clement Ogedengbe <c.ogedengbe@worc.ac.uk> wrote:
I have now tested the server with eapol_test (without certificate validation) and it failed. I tested using the eaptest config below (PEAP & TTLS) : (I have masked out userid & password).
That’s bad.
EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request
That’s the problem. Why does it happen?
[mschap_ad] Creating challenge hash with username: uwjrstest [mschap_ad] expand: --challenge=%{mschap_ad:Challenge:-00} -> --challenge=eb2123a7a496e886 [mschap_ad] expand: --nt-response=%{mschap_ad:NT-Response:-00} -> --nt-response=4619af06b81d1426e5c7921fe751e5f46b7ee3456b3b0c7f Exec-Program output: NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD Exec-Program-Wait: plaintext: NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD
ntlm_auth is giving the wrong response to FreeRADIUS. i.e. the problem isn’t FreeRADIUS. Re-start Samba, winbindd, etc. Then try it again. It should work. If it doesn’t, upgrade Samba to a version that works. Or (sad to say) downgrade it to a version that works. Alan DeKok.