Actually this is the exact same problem I have. I need to type my credentials in for authentication to work. If I let windows do it, I won't get in. If any of you could please help us out with this issue, that'd be great Cheers Héctor ________________________________ Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Stieven.Struyf@komatsu.eu Gesendet: Montag, 6. November 2006 16:17 An: King, Michael Cc: freeradius-users@lists.freeradius.org Betreff: RE: freeradius and ntlm_auth howto michael, The configuration works when i type in my username as 'username@domain', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure) It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 "King, Michael" <MKing@bridgew.edu> 11/06/2006 04:04 PM To <Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howto Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. ________________________________ From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM ----- Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howtoLink <Notes://bent63ke/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A148B6EA233CDC125721400531414> I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-----Original Message----- Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line /path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes
# Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html