Help with proxy settings please
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 12 14:37:38 CET 2012
On 01/12/2012 01:23 PM, lmgo5991 wrote:
> Hi,
> Could someone please shed some light on the where we are going wrong. We
> have followed the documentation provided however it is unclear where to
> reference our internal ad servers.
Your subject line is a bit confusing. You say "proxy settings" but I see
no evidence that you are doing any proxying; you appear to just be doing
normal local authentication.
It seems you are trying to do PEAP/MSCHAP. Validating MSCHAP requires
either:
1. The NT hash
2. The plaintext password, from which the NT hash can be generated
3. Access to a 3rd party machine that can check the challenge/response
for you
See:
http://deployingradius.com/documents/protocols/compatibility.html
If your account details are stored in active directory, you can only use
option 3. This translates into:
1. Install Samba
2. Join Samba to the domain
3. Start winbind
4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the
AD controllers
See:
http://wiki.freeradius.org/FreeRADIUS%20Active%20Directory%20Integration%20HOWTO
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: radldapuser at gcu.ac.uk
> [mschap] Told to do MS-CHAPv2 for radldapuser at gcu.ac.uk with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
As you can see, FreeRADIUS can't check your password because it doesn't
know it.
Note: you CANNOT USE LDAP to solve this problem. Active Directory does
not expose the required data over LDAP. You MUST use Samba & ntlm_auth.
Hope this helps.
Cheers,
Phil
More information about the Freeradius-Users
mailing list