AW: PEAP+MSCHAP+AD (please help)

Hector.Ortiz at swisscom.com Hector.Ortiz at swisscom.com
Mon Dec 11 10:07:40 CET 2006


Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius. 

There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html. Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me.

About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense.

There is no trick, this is a real problem I have.

Thanks for any further assistance

Héctor

-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org] Im Auftrag von Phil Mayers
Gesendet: Freitag, 8. Dezember 2006 19:32
An: FreeRadius users mailing list
Betreff: Re: PEAP+MSCHAP+AD (please help)

Hector.Ortiz at swisscom.com wrote:
> Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy.
> 
> 
> In the first attempt the user has checked the option "Automatically use my Windows logon name and password (and domain if any)", user account is valid in the domain and is not locked out, however user authentication fails.
> 
> In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking "Connect" he gets access. 
> 
> Why if Windows sends the same user information only in the latter case user is able to get in?
> 
> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key 
> --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d 
> --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 7

It failed because the client returned the wrong challenge

> Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key 
> --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 
> --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d
> Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF
> Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF
> Exec-Program: returned: 0
>   modcall[authenticate]: module "mschap" returns ok for request 16
> modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP 
> Success

Whereas that worked.

It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list