AW: PEAP+MSCHAP+AD (please help)

Alan DeKok aland at deployingradius.com
Mon Dec 11 19:52:34 CET 2006


Hector.Ortiz at swisscom.com wrote:
> About the client, when I turn the computer on, I have to type in the user
> credentials, the same ones that I use when testing FreeRadius.
> Windows sends FreeRadius the same user information in the two
> cases, but the outcome is completely different and this of
> course makes no sense.

  Windows is *not* sending the same information in both cases.  Please
go back and read the debugging output.  In each case, Windows is sending
a random challenge, and a "response" hash.  The "response" hash depends
on the challenge, password, and user name, so it is different for EVERY
request.

  Look at the debugging output, and type in the "ntlm_auth" lines by
hand on a command line (i.e. cut & paste from the debug output).  One
will succeed and one will fail.  This is because Active Directory is
deciding that one succeeds and the other fails.

  What is probably happening is that the Windows box is treating the
user name as "user" in one case, and "DOMAIN\user" in the other.  This
means that the expected response calculated by Active Directory MAY use
a different username than what the Windows client is using.  The
expected response is therefore not the same as what the Windows box
sends, so authentication fails.

  As to how to fix it?  I'm not sure.  The Windows box appears to be
doing something odd, and I don't know why.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list