Active directory and MS-CHAP Authentication.

Wed May 10 13:08:39 CEST 2006

Antonio Matera wrote:
> 
>> Your eap.conf is irrelevant because...
>>
>>>
>>> authorize {
>>>     preprocess
>>>     mschap
>>>     suffix
>>>     #eap
>>>     files
>>> }
>>
>> ...you've disabled eap by commenting it out.
>>
>> Why do people insist on breaking the server? Start with the default 
>> config and make small changes to work towards what you need. Making 
>> massive changes without understanding the consequences just breaks it.
>>
> 
> In the second part off my last mail I have insert the log with eap 
> config. The changes in my server are for the EAP-TLS authentication. I 
> need two different authentication for my purpose.

I don't understand you here.

> 
>>>
>>> I don't know if I have to insert in the authorize and authenticate 
>>> module eap. Whitout it I have this log:
>>
>> Of course you do. How else would EAP work?
>>
> 
> I re-write my log with eap conf.

radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --domain=create-net 
--username=antonio --challenge=bede046aa1e50281 
--nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net 
--username=antonio --challenge=bede046aa1e50281 
--nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)

It's hard to be sure since it looks like you've pasted together 3 or 4 
runs of the server into one debug log, but the above message is very 
clear. Logon failure.

The radius server is working fine. For some reason ntlm_auth is failing 
your password. This could be because you've typed it wrong, or a samba 
or AD/NT misconfiguration.

Try removing the "--domain" argument from the ntlm_auth helper. If 
"create-net" is your default domain it should not be needed and I've 
seen issues with it before.

Does "ntlm_auth --username=antonio --password=yourpass" work?