freeradius and ntlm_auth howto

[King, Michael]

Let's see if we can get this solved... 

> -----Original Message-----
> Here's the full log: 
> Waking up in 6 seconds... 
> rad_recv: Access-Request packet from host 10.104.254.73:1645, 

This is NOT the full log.  The full log would have started with the line
/path/to/radiusd -X

Some important stuff is printed out there, it helps us help you.  


>   rlm_mschap: NT Domain delimeter found, should we have 
> enabled with_ntdomain_hack? 
>   rlm_mschap: NT Domain delimeter found, should we have 
> enabled with_ntdomain_hack? 

Did you enable Ntdomain Hack in the MSCHAP module?  (See below)


Including your radius.conf file would help.


> > HOWEVER, first you may want to check your mschap module definition:
> > 
> > modules {
> >    mschap {
> >      ntlm_auth = "/usr/bin/ntlm_auth \
> >   --request-nt-key \
> >   --username=%{mschap:User-Name:-None} \
> >   --domain=%{mschap:NT-Domain:-None} \
> >   --challenge=%{mschap:Challenge:-00} \
> >   --nt-response=%{mschap:NT-Response:-00}"
> > 
> > ...all on one line of course. Note the use of the 
> "mschap:User-Name" 
> > and "mschap:NT-Domain" values.

Mine radiusd.conf file's mschap section looks like this:
NOTE that I do NOT have the :-00 and the :-None statements, and I DO
have with_ntdomain_hack=yes


        # Microsoft CHAP authentication
        #
        #  This module supports MS-CHAP and MS-CHAPv2 authentication.
        #  It also enforces the SMB-Account-Ctrl attribute.
        #
        mschap {
                with_ntdomain_hack = yes
			ntlm_auth = "/usr/bin/ntlm_auth \
			--request-nt-key \
			--username=%{mschap:User-Name} \
			--challenge=%{mschap:Challenge} \
			--nt-response=%{mschap:NT-Response}
        }