mschap with ntlm_auth and Active Directory
McNutt, Justin M.
McNuttJ at missouri.edu
Sat Mar 5 04:05:46 CET 2011
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> >
> > The password Pa$$w0rd is set in the Wireless Controller, if
> thats what you
> > mean by mschap client?
May I suggest two things:
1) I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings. Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not. I suggest setting the password to something simpler. If your password policy requires special characters, use dash, equals, underscore, or dot. I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth. (Same chain as you.)
2) Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY. You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match.
--J
More information about the Freeradius-Users
mailing list