OK, here is the situation. I have successfully configured RADIUS to authenticate/authorize NAS requests from my Cisco gear so long as the user "Auth-Type= System". I have also managed to get Samba working and have joined the radius server to the AD realm in question. This is confirmed through the following: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYUID password:xxxxx NT_STATUS_OK: Success (0x0) wbinfo -a MYUID%MYPASSWD plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user MYUID%MTPASSWD with plaintext password challenge/response password authentication succeeded However, when I edit the /etc/raddb/users file and change the "Auth-Type= System" to "Auth-Type=MSCAP" all authentication attempts fail. Am I specifying the correct auth-type? Have I missed a step? Is there something I can do (debug maybe) that will better assist in identifying the problem? Any and all suggestions are appreciated. I am attempting to have RADIUS proxy authentication requests to AD, then assign attributes if authentication succeeds. Chad
Bohannan, Chad W wrote:
OK, here is the situation. I have successfully configured RADIUS to authenticate/authorize NAS requests from my Cisco gear so long as the user “Auth-Type= System”. I have also managed to get Samba working and have joined the radius server to the AD realm in question. This is confirmed through the following:
The radius server doesn't specify MSCHAP. The NAS *tells* the radius server that this request *is* using MSCHAP by virtue of sending the appropriate MSCHAP attributes. Configure your NAS (dialup server, VPN, IPSec+xauth, whatever) to do MSCHAP, and as long as the mschap module is in the authorize and authenticate sections, it will work.
participants (2)
-
Bohannan, Chad W -
Phil Mayers