AW: PEAP+MSCHAP+AD (please help)

Phil Mayers p.mayers at imperial.ac.uk
Mon Dec 11 11:25:45 CET 2006


Hector.Ortiz at swisscom.com wrote:
> Hello. No, I haven't edited the debug output. Why would I do this if
> I have a problem that want to get solved??. The debug output is
> exactly what I get from FreeRadius.

People do some surprising things on this mailing list...

I saw that you had a domain called DOMAIN, which is not very common, and 
assumed "the worst" i.e. that you had edited the output.

> 
> There have been more people in this list with the same problem, being
> the latest
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
> Even though he found a solution for his own problem, I followed his
> howto but unfortunately didn't worked for me.
> 
> About the client, when I turn the computer on, I have to type in the
> user credentials, the same ones that I use when testing FreeRadius.
> Windows sends FreeRadius the same user information in the two cases,
> but the outcome is completely different and this of course makes no
> sense.
> 
> There is no trick, this is a real problem I have.

I didn't imagine you were trying to trick us.

As far as I can tell, your FreeRadius configuration looks correct. It's 
able to answer at least some MS-CHAP requests, and as you say there's no 
real difference as far as the server is concerned between and automatic 
or manual client login.

This makes me suspect that there *is* a difference between such on the 
client side.

Couple of other things you could try:

netsh ras set tracing * enable

...on the windows client side, then inspect the logs (If memory serves 
they go do  %WINDIR%/system32/tracing)

Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, 
you're not trying to authenticate a trusted domain user?

Finally, I see you've got the ntlm_auth helper set to:

/opt/samba/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

You could try removing the --domain argument completely -
though you should not need to.

You could obviously also bump the Samba debugging level for a failing 
login and inspect the samba logs.



More information about the Freeradius-Users mailing list