mschap with ntlm_auth and Active Directory

Thu Mar 3 16:24:55 CET 2011

> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv1 with NT-Password
> [mschap]        expand: --username=%{mschap:User-Name:-None} ->
> --username=001E52805980
> [mschap] No NT-Domain was found in the User-Name.
> [mschap]        expand: %{mschap:NT-Domain} ->
> [mschap]        ... expanding second conditional
> [mschap]        expand: 
> --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} ->
> --domain=MY.ACTUAL.DOMAIN
> [mschap]  mschap1: 86
> [mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=86acd2fc97136970
> [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] MS-CHAP-Response is incorrect.
> ++[mschap] returns reject
> Failed to authenticate the user.

First things first.  When you run this on the command line, what exactly do you get?

ntlm_auth --request-nt-key \
	--username=001E52805980 \
	--domain=MY.ACTUAL.DOMAIN \
	--challenge=86acd2fc97136970 \
	--nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662

(You may need to run FreeRADIUS in debug mode, observe another failure, and then copy the challenge and response values from that *recent* failure in there for this to work.  I don't know what the lifetime is on those values.  Using the ones from hours ago may not work.)

Second question is, is "request-nt-key" appropriate in this case?  I only ask because I've only ever used ntlm_auth to authenticate Windows hosts directly.  In this case, the wireless controller is doing the authentication, and the wireless controller is not a Windows box.  Sure, it's using a set of credentials in AD, but that's not exactly the same.  The *Windows* box is not doing the authentication.  The *controller* is.

--J