EAP-TLS OK - EAP-PEAP KO!! why that?

Alan DeKok aland at deployingradius.com
Sat Jul 19 20:07:43 CEST 2008


Reveal MAP wrote:
> user=maman
> passwd= maman
> is a sql based user.
> 
> trying peap with sql based user give error message,

   Which... is what?  Is it a secret?

> but trying it with
> Ad_based user give no error message, just don't connect...

  FreeRADIUS gives no error message?  Or the client?  Are you trying to
debug the FreeRADIUS configuration by looking at the login screen on the
  client machine?

> with radtest:

  Which sends a PAP request.  Which doesn't use the MS-CHAP module.
Which doesn't go to AD.

> same credential with my Access-Point (part of output).
> ---------------------------------------------------------------------------------------------
> 
>  rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2

  Which is using MS-CHAP.  Which then uses the MS-CHAP module.  Which
*you* have configured to ask AD.

> Exec-Program output: Logon failure (0xc000006d)

  So... fix that.  Run ntlm_auth from the command line until it works.
Then use the same password to log in via PEAP.

  Or... if you want to authenticate PEAP users via SQL (which you seem
to be saying), then don't configure the mschap module to use ntlm_auth.

  Alan DeKok.



More information about the Freeradius-Users mailing list