ClearText-Password?

[Dean, Barry]

> Hi,
> 
>> rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, 
>> id=195, length=49 User-Name = "user"
>>         User-Password = "passwd"
>>         NAS-IP-Address = 138.253.XXX.XXX

>There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why does >it fail? ...

I see now why this was failing. Client was doing non-MSCHAP and there was no section telling RADIUS how to authenticate this type of request.

>> Config:
>>
>> users:
>>
>> DEFAULT Auth-Type = mschap
>>         Acct-Session-Id = "Local",
>>         Fall-Through = Yes

>Write a hundred times on the blackboard: "I will not set Auth-Type." The server will figure out itself what to >do. In this case, PAP.

Duly removed. I inherited the config and assumed it had been added for good reason. It works without so it has been removed.


>> If I don’t force MSCHAP in users, how else do I get the user checked 
>> against AD when the only place ntlm_auth is called is inside the 
>> mschap module?

>You configure your AD server in the ldap {} section and uncomment the ldap stanzas in authorize and >authenticate. You don't call ntlm_auth then, and that is because you don't need ntlm_auth - user authentication >is done with an LDAP bind() operation with the user credentials.

With some pain, I now have the LDAP to AD authentication working. I have not tested *all* methods, but the ones I am interested in supporting seem to work. EAP-MD5 fails, but that is an exercise for another day if I feel I need to fix it.

>Greetings,
>
>Stefan Winter

Thanks for your help. You pointed me in the right direction which was all I needed really.

---------------
Barry Dean
Networks Team