Actually this is the exact same problem I have. I need to
type my credentials in for authentication to work. If I let windows do it,
I won't get in.
If any of you could please help us out with this
issue, that'd be great
Cheers
Héctor
michael,
The configuration works when i type in my username as
'username@domain', when i let windows fill it in i don't get in.
My password gets locked after 3 attempts, and
the wifi retries several times. If you look higher in the file you will see
another error:(logon failure)
It
works with the standard certs, so for finding a good working configuration this
is ok for now. Obviously i will change this for production.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800
Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551
| "King, Michael"
<MKing@bridgew.edu>
11/06/2006 04:04 PM
|
|
To
| <Stieven.Struyf@komatsu.eu>,
"FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
|
|
cc
|
|
|
Subject
| RE: freeradius and ntlm_auth
howto |
|
Some things I've noticed from your attached files
Module:
Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption =
yes
mschap: require_strong = yes
I've never enabled these before, I'm
unaware what affect they will have
tls:
pem_file_type = yes
tls: private_key_file =
"/etc/raddb/certs/cert-srv.pem"
tls: certificate_file =
"/etc/raddb/certs/cert-srv.pem"
tls: CA_file =
"/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password =
"whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file =
"/etc/raddb/certs/random"
Did you generate your OWN certs... They one's
that ship with the server ARE NOT vailid. You have to generate your own.
rlm_eap:
Loaded and initialized type peap
mschapv2: with_ntdomain_hack =
no
rlm_eap: Loaded and initialized type mschapv2
That doesn't look
right
BUT YOUR
FINAL ANSWER:
xec-Program:
/usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program
output: Account locked out (0xc0000234)
Exec-Program-Wait: plaintext:
Account locked out (0xc0000234)
Exec-Program: returned:
1
rlm_mschap: External script failed.
rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect
Your account in the
domain is not correct.
Looks like it's been disabled or something.
Fix that
first before you change anymore config files.
From: Stieven.Struyf@komatsu.eu
[mailto:Stieven.Struyf@komatsu.eu]
Sent: Monday, November 06, 2006
3:16 AM
To: King, Michael
Subject: Fw: freeradius and
ntlm_auth howto
Michael,
I sent my reply already to the list, but due to the size(larger than
100k) it had to be reviewed by the admin and after a week it was
rejected.
Below you
can find the mail. Thanks for helping me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800
Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551
----- Forwarded by
Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -----
| Stieven
Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
|
|
To
| FreeRadius users
mailing list
<freeradius-users@lists.freeradius.org>
|
|
cc
|
|
|
Subject
| RE: freeradius and ntlm_auth
howtoLink |
|
I added the debuglog as
attachment(as it is a little large to paste here).
This is the mschap config:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong
= yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
}
Stieven Struyf
M.I.S.
Division - System Operations
Komatsu Europe International
NV
Mechelsesteenweg 586
B-1800
Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551
freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:
> Let's see if we can get this
solved...
>
> > -----Original Message-----
> > Here's
the full log:
> > Waking up in 6 seconds...
> > rad_recv:
Access-Request packet from host 10.104.254.73:1645,
>
> This is
NOT the full log. The full log would have started with the line
>
/path/to/radiusd -X
>
> Some important stuff is printed out there,
it helps us help you.
>
>
> > rlm_mschap:
NT Domain delimeter found, should we have
> > enabled
with_ntdomain_hack?
> > rlm_mschap: NT Domain delimeter found,
should we have
> > enabled with_ntdomain_hack?
>
> Did
you enable Ntdomain Hack in the MSCHAP module? (See below)
>
>
> Including your radius.conf file would help.
>
>
> > > HOWEVER, first you may want to check your mschap module
definition:
> > >
> > > modules {
> > >
mschap {
> > > ntlm_auth =
"/usr/bin/ntlm_auth \
> > > --request-nt-key \
> >
> --username=%{mschap:User-Name:-None} \
> > >
--domain=%{mschap:NT-Domain:-None} \
> > >
--challenge=%{mschap:Challenge:-00} \
> > >
--nt-response=%{mschap:NT-Response:-00}"
> > >
> > >
...all on one line of course. Note the use of the
> >
"mschap:User-Name"
> > > and "mschap:NT-Domain" values.
>
> Mine radiusd.conf file's mschap section looks like this:
> NOTE
that I do NOT have the :-00 and the :-None statements, and I DO
> have
with_ntdomain_hack=yes
>
>
> #
Microsoft CHAP authentication
> #
>
# This module supports MS-CHAP and MS-CHAPv2
authentication.
> # It also enforces the
SMB-Account-Ctrl attribute.
> #
>
mschap {
>
with_ntdomain_hack = yes
>
ntlm_auth = "/usr/bin/ntlm_auth \
>
--request-nt-key \
>
--username=%{mschap:User-Name} \
>
--challenge=%{mschap:Challenge} \
>
--nt-response=%{mschap:NT-Response}
>
}
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html