Example configuration that proxy PEAP MSCHAPv2 to an IAS server
Phil Mayers
p.mayers at imperial.ac.uk
Wed Aug 31 15:48:00 CEST 2011
On 30/08/11 21:12, Glenn Machin wrote:
> Phil - thanks for the feedback.
>
> I just ended up proxying out to the IAS server usernames starting with
> "DOMAIN\".
Ok. Obviously that will fail if enters their wireless credentials
without a domain.
>
> I configured the freeradius server to not support mschapv2 but will
> support PEAP/GTC EAP/TLS.
>
>
> It seems to be working fine with the Macs, iPads and Linux systems while
> the windows systems are happy to talk to the IAS server.
>
>
> It still bugs that ntlm_auth would not authenticate to the domain
> controllers the challenge and nt-response.
I repeat: if you send debug info, people may be able to help.
>
>
> I assume no one else is having any issues using ntlm_auth to W2008
> servers? It may be some Windows GPO at our site for all I know.
Exactly which version of windows (2008 or 2008R2?) and at which
functional level is your domain?
Did you try increasing the debug level for winbind using "smbcontrol"
and then examining the debug logs after a failed auth?
For what it's worth, we have no problems with Windows 2008R2 domain
controllers and the "samba3x" package available under RHEL5 (samba
version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3)
versions after we'd upgraded to 2008R2 and upgraded functional level.
More information about the Freeradius-Users
mailing list