Cisco VPN Radius with expiry & Windows domain password expiration
kesm0724
kevin.smith at emp.shentel.com
Fri Oct 10 20:59:07 CEST 2008
Is there anything special (ntlm_auth, ldap_attr,etc) that I need to configure
for FreeRadius to recognize that an active directory account has expired and
the user needs to be prompted to change his/her password? I am not even
receiving the "user needs to change password" dialogue box from the Cisco
VPN client.
Full Debug:
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Oct 1 2008
at 15:12:24
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc//raddb/radiusd.conf
including configuration file /etc//raddb/clients.conf
including configuration file /etc//raddb/snmp.conf
including files in directory /etc//raddb/modules/
including configuration file /etc//raddb/modules/krb5
including configuration file /etc//raddb/modules/chap
including configuration file /etc//raddb/modules/echo
including configuration file /etc//raddb/modules/always
including configuration file /etc//raddb/modules/preprocess
including configuration file /etc//raddb/modules/sql_log
including configuration file /etc//raddb/modules/expiration
including configuration file /etc//raddb/modules/acct_unique
including configuration file /etc//raddb/modules/digest
including configuration file /etc//raddb/modules/pap
including configuration file /etc//raddb/modules/passwd
including configuration file /etc//raddb/modules/ippool
including configuration file /etc//raddb/modules/attr_rewrite
including configuration file /etc//raddb/modules/logintime
including configuration file /etc//raddb/modules/policy
including configuration file /etc//raddb/modules/radutmp
including configuration file /etc//raddb/modules/unix
including configuration file /etc//raddb/modules/smbpasswd
including configuration file /etc//raddb/modules/sradutmp
including configuration file /etc//raddb/modules/ldap
including configuration file /etc//raddb/modules/mac2vlan
including configuration file /etc//raddb/modules/realm
including configuration file /etc//raddb/modules/expr
including configuration file /etc//raddb/modules/mschap
including configuration file /etc//raddb/modules/checkval
including configuration file /etc//raddb/modules/mac2ip
including configuration file /etc//raddb/modules/counter
including configuration file /etc//raddb/modules/etc_group
including configuration file /etc//raddb/modules/pam
including configuration file /etc//raddb/modules/attr_filter
including configuration file /etc//raddb/modules/detail
including configuration file /etc//raddb/modules/detail.log
including configuration file /etc//raddb/modules/exec
including configuration file /etc//raddb/modules/files
including configuration file /etc//raddb/sql/mysql/counter.conf
including configuration file /etc//raddb/policy.conf
including files in directory /etc//raddb/sites-enabled/
including configuration file /etc//raddb/sites-enabled/inner-tunnel
including configuration file /etc//raddb/sites-enabled/default
including dictionary file /etc//raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=voila
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "10.1.16.130"
port = 389
password = "xxxx"
identity = "cn=project,cn=users,dc=voila,dc=com"
net_timeout = 5
timeout = 10
timelimit = 6
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=voila,dc=com"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc//raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 4
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc//raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x99849e0
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc//raddb/users"
acctusersfile = "/etc//raddb/acct_users"
preproxy_usersfile = "/etc//raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc//raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc//raddb/huntgroups"
hints = "/etc//raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = """
ignore_default = no
ignore_null = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc//raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating reply_log
detail reply_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.6 port 1086, id=7,
length=187
User-Name = "voila\\test"
NAS-Port = 1231
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "204.112.1.1"
Calling-Station-Id = "204.112.1.1"
Tunnel-Client-Endpoint:0 = "204.112.1.1"
MS-CHAP-Challenge = 0x36d49923fd91c9278280554b4eba353f
MS-CHAP2-Response =
0x0000572d60ba1df18e11d0a20a3e9919126a00000000000000000e3814caf0302452f2c32c894d5678b939353e20ea160
NAS-IP-Address = 10.1.1.6
NAS-Port-Type = Virtual
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.2.1.6/auth-detail-20081010
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.6/auth-detail-20081010
expand: %t -> Fri Oct 10 10:41:08 2008
++[auth_log] returns ok
++[chap] returns noop
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_realm: No '@' in User-Name = "voila\test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_realm: No '"' in User-Name = "voila\test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[ntdomain] returns noop
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: dc=voila,dc=com -> dc=voila,dc=com
expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.1.16.130:389, authentication 0
rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/pR0j3cT1 to
10.1.16.130:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=test)
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=group)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn})))
->
(|(&(objectClass=group)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=test,CN=Users,DC=voila,DC=com, with filter
(objectclass=*)
rlm_ldap: performing search in
CN=allsubscribers74e30221,CN=Users,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=allsubscribers0f1f0e1c,CN=Users,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=VPN-Users,OU=Groups-Access,DC=voila,DC=com, with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=AlarmCapture-SQL,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=LAN
Inet,OU=Groups-Websense,DC=voila,DC=com, with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=voila_Center_All,OU=Group
Emails,DC=voila,DC=com, with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=BHT-Administrator,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=CSDB-Property-Management,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=IM_Commsoft,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=IM_Authorized,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=Broadhop-League,OU=Group
Emails,DC=voila,DC=com, with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=Project-AllUsers,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=sprint-ftp,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=NetTechs,OU=Groups-Access,DC=voila,DC=com,
with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=LAN,OU=Groups-Access,DC=voila,DC=com, with
filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=IM_Lan,OU=Groups-Access,DC=voila,DC=com,
with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=Project-Admins,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in
CN=Amtelco-Ultracom,OU=Groups-Access,DC=voila,DC=com, with filter
(cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=ridata,OU=Groups-Access,DC=voila,DC=com,
with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=EVERYONE,OU=Groups-Access,DC=voila,DC=com,
with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=NetAdmins,OU=Group Emails,DC=voila,DC=com,
with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: performing search in CN=AlertNotification,OU=Group
Emails,DC=voila,DC=com, with filter (cn=Radius-Admin)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::groupcmp: Group Radius-Admin not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for voila\test
expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=test)
expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=test)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user voila\test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
expand: --username=%{mschap:User-Name} -> --username=test
mschap2: 36
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=d9afee48d6040631
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0e3814caf0302452f2c32c894d5678b93935331ee20ea160
Exec-Program output: Must change password (0xc0000224)
Exec-Program-Wait: plaintext: Must change password (0xc0000224)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [voila\\test] (from client Test port 1231 cli 204.112.1.1)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> voila\test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 7 to 10.1.1.6 port 1086
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 7 with timestamp +8
Ready to process requests.
kesm0724 wrote:
>
> Hello All,
>
> I have a cisco vpn concentrator and in the past have had it pointed to a
> Windows IAS Server. I have now switched to Freeradius and have discovered
> that when a user needs to "Change password on next logon" the cisco vpn
> client does not prompt for a password change. Prior to moving to
> Freeradius the password change prompt comes up allowing the user to change
> their password. On the concentrator I do have "Radius with Expiry"
> configured and have switched back and forth between the IAS Server and the
> Freeradius server to ensure it was something particular to the
> authentication servers not the concentrator.
>
> I notice the following in debug:
>
> rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
> expand: --username=%{mschap:User-Name} -> --username=test
> mschap2: 83
> expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=04e843995bfbdbca
> expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=a378afdf127434783890d2e2e4f9d5bd97976a00d2c51fa4
> Exec-Program output: Must change password (0xc0000224)
> Exec-Program-Wait: plaintext: Must change password (0xc0000224)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>
> I have been looking on Google for windows domain password expiry +
> freeradius amongst other search strings all to no avail. Can anyone tell
> me what I'm doing wrong?
>
> Thanks.
>
>
>
--
View this message in context: http://www.nabble.com/Cisco-VPN-Radius-with-expiry---Windows-domain-password-expiration-tp19907575p19924104.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list