So I have to modify the first request from the client to use MS-CHAP request ? Because in my database for the User-Name, I have the following mysql> select * from radcheck ; +----+----------------------------------------+-----------+----+---------+ | id | UserName | Attribute | op | Value | +----+----------------------------------------+-----------+----+---------+ | 10 | TOTO@MYDOMAIN | Auth-Type | := | MS-CHAP | +----+----------------------------------------+-----------+----+---------+ 1 row in set (0.00 sec) So what I have to do ? Do you have a link for Active Directory Integration ? Thanks for you help ----- Message d'origine ---- De : Phil Mayers <p.mayers@imperial.ac.uk> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Lundi, 30 Juin 2008, 13h53mn 23s Objet : Re: Active Directory Integration This:
rad_recv: Access-Request packet from host 192.48.19.111:49154, id=0, length=108 User-Name = "TOTO@MYDOMAIN" User-Password = "toto" Cisco-AVPair = "shell:priv-lvl=1" NAS-IP-Address = 192.48.19.111
...is not an MS-CHAP request, as the later debug tells you:
modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
pingouin osmolateur wrote:
So I have to modify the first request from the client to use MS-CHAP request ?
No.
Because in my database for the User-Name, I have the following
Which is wrong. You were told it is wrong.
So what I have to do ?
Delete that row from the database. The documentation tries to make it clear: Setting Auth-Type is wrong. Don't do it.
Do you have a link for Active Directory Integration ?
See my web site: http://deployingradius.com Alan DeKok.
Because in my database for the User-Name, I have the following
mysql> select * from radcheck ; +----+----------------------------------------+-----------+----+---------+ | id | UserName | Attribute | op | Value | +----+----------------------------------------+-----------+----+---------+ | 10 | TOTO@MYDOMAIN | Auth-Type | := | MS-CHAP | +----+----------------------------------------+-----------+----+---------+ 1 row in set (0.00 sec)
Delete that. You can't make a request into mschap by pretending it is one.
So what I have to do ?
Well, what do you want to do? You have created AD integration for mschap requests via ntlm_auth. That's mainly used for wireless clients that use PEAP. It's not going to be of great use if your clients are going to be sending pap requests. For those you can use (already created) ldap configuration. Retrieve passwords from AD as NT-Password and (freeradius) pap module will authenticate them. mschap requests will work with this too. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Ivan Kalik -
pingouin osmolateur