Freeradius with EAP/MSChap and Windows 2012

Tue Jan 21 15:47:40 CET 2014

Hi,

I have some trouble with the implementation of a WLAN - PEAP 
Authentification with freeradius and ntlm-auth against a Windows2012 Server.

I used the freeradius howto:

- The pc can authentificate against the domain:

root at rad1-wlan:/etc/freeradius/sites-enabled# /usr/bin/ntlm_auth 
--request-nt-key --domain=ADINT.DIR --username=peterpan --password=1234567
NT_STATUS_OK: Success (0x0)

When I try to connect to the wlan, I was promped for a user/password and 
after accepting the cert the following log appears:

ue Jan 21 15:22:20 2014 : Info: Found Auth-Type = EAP
Tue Jan 21 15:22:20 2014 : Info: # Executing group from file 
/etc/freeradius/sites-enabled/wlan
Tue Jan 21 15:22:20 2014 : Info: +- entering group eap {...}
Tue Jan 21 15:22:20 2014 : Info: [eap] Request found, released from the list
Tue Jan 21 15:22:20 2014 : Info: [eap] EAP/mschapv2
Tue Jan 21 15:22:20 2014 : Info: [eap] processing type mschapv2
Tue Jan 21 15:22:20 2014 : Info: [mschapv2] # Executing group from file 
/etc/freeradius/sites-enabled/wlan
Tue Jan 21 15:22:20 2014 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with 
username: peterpan
Tue Jan 21 15:22:20 2014 : Info: [mschap] Told to do MS-CHAPv2 for 
peterpan with NT-Password
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
%{Stripped-User-Name} ->
Tue Jan 21 15:22:20 2014 : Info: [mschap]       ... expanding second 
conditional
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: %{User-Name} -> 
peterpan
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
%{%{User-Name}:-None} -> peterpan
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> 
--username=peterpan
Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with 
username: peterpan
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
%{mschap:Challenge} -> 961c5ef0871022f8
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
--challenge=%{%{mschap:Challenge}:-00} -> --challenge=961c5ef0871022f8
Tue Jan 21 15:22:20 2014 : Info: [mschap] No NT-Domain was found in the 
User-Name.
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
%{mschap:NT-Domain} ->
Tue Jan 21 15:22:20 2014 : Info: [mschap]       ... expanding second 
conditional
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
--domain=%{%{mschap:NT-Domain}:-ADINT.DIR} -> --domain=ADINT.DIR
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
%{mschap:NT-Response} -> 500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed
Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: 
--nt-response=%{%{mschap:NT-Response}:-00} -> 
--nt-response=500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed
Tue Jan 21 15:22:20 2014 : Debug: Exec-Program output: Reading winbind 
reply failed! (0xc0000001)
Tue Jan 21 15:22:20 2014 : Debug: Exec-Program-Wait: plaintext: Reading 
winbind reply failed! (0xc0000001)
Tue Jan 21 15:22:20 2014 : Debug: Exec-Program: returned: 1
Tue Jan 21 15:22:20 2014 : Info: [mschap] External script failed.
Tue Jan 21 15:22:20 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is 
incorrect
Tue Jan 21 15:22:20 2014 : Info: ++[mschap] returns reject
Tue Jan 21 15:22:20 2014 : Info: [eap] Freeing handler
Tue Jan 21 15:22:20 2014 : Info: ++[eap] returns reject
Tue Jan 21 15:22:20 2014 : Info: Failed to authenticate the user.
Tue Jan 21 15:22:20 2014 : Auth: Login incorrect (mschap: External 
script says Reading winbind reply failed! (0xc0000001)): [peterpan/<via 
Auth-Type = EAP>] (from client WLAN port 29 cli 84-3a-4b-7a-6a-2c via 
TLS tunnel)

Does anyone know why this happen?

Regards
Carsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5180 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140121/d3001464/attachment.bin>