Problem with MSCHAP
Mark Holmes
mark.holmes at nuffield.ox.ac.uk
Tue Oct 12 10:25:41 CEST 2010
OK,
Just to recap, I'm working on setting Freeradius up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth.
Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29
Needless to say it's failing.
I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on Friday, and that has cleared up the warning about unknown realms.
When connecting, I still get several errors before auth fails.
I've pasted my debug output into the web tool and it picks out the following in red
security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
}
(all in red)
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. (In yellow)
I also see (not highlighted) that I'm still getting
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for holmes at mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I have configured modules/mschap to use ntlm_auth as follows
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Am I missing something in the MSCHAP config?
Cheers,
Mark
More information about the Freeradius-Users
mailing list