PEAP+MSCHAP+AD (please help)

Phil Mayers p.mayers at imperial.ac.uk
Fri Dec 8 19:31:37 CET 2006 

Hector.Ortiz at swisscom.com wrote:
> Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.
> 
> 
> In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.
> 
> In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access. 
> 
> Why if Windows sends the same user information only in the latter case user is able to get in?
> 
> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785
> Exec-Program output: Logon failure (0xc000006d) 
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 7

It failed because the client returned the wrong challenge

> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d
> Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF 
> Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF 
> Exec-Program: returned: 0
>   modcall[authenticate]: module "mschap" returns ok for request 16
> modcall: leaving group MS-CHAP (returns ok) for request 16
> MSCHAP Success 

Whereas that worked.

It looks to me as if you've edited the debug output so I can't be sure, 
but I'd suggest looking at the client - the radius server is configured 
correctly. Perhaps the client is not in fact logging on to the laptop 
with the correct username and password.

More information about the Freeradius-Users mailing list