AW: PEAP+MSCHAP+AD (please help)
Phil Mayers
p.mayers at imperial.ac.uk
Mon Dec 11 11:25:45 CET 2006
Hector.Ortiz at swisscom.com wrote:
> Hello. No, I haven't edited the debug output. Why would I do this if
> I have a problem that want to get solved??. The debug output is
> exactly what I get from FreeRadius.
People do some surprising things on this mailing list...
I saw that you had a domain called DOMAIN, which is not very common, and
assumed "the worst" i.e. that you had edited the output.
>
> There have been more people in this list with the same problem, being
> the latest
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
> Even though he found a solution for his own problem, I followed his
> howto but unfortunately didn't worked for me.
>
> About the client, when I turn the computer on, I have to type in the
> user credentials, the same ones that I use when testing FreeRadius.
> Windows sends FreeRadius the same user information in the two cases,
> but the outcome is completely different and this of course makes no
> sense.
>
> There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us.
As far as I can tell, your FreeRadius configuration looks correct. It's
able to answer at least some MS-CHAP requests, and as you say there's no
real difference as far as the server is concerned between and automatic
or manual client login.
This makes me suspect that there *is* a difference between such on the
client side.
Couple of other things you could try:
netsh ras set tracing * enable
...on the windows client side, then inspect the logs (If memory serves
they go do %WINDIR%/system32/tracing)
Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in,
you're not trying to authenticate a trusted domain user?
Finally, I see you've got the ntlm_auth helper set to:
/opt/samba/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
You could try removing the --domain argument completely -
though you should not need to.
You could obviously also bump the Samba debugging level for a failing
login and inspect the samba logs.
More information about the Freeradius-Users
mailing list