LDAP / mschap Error
andreas.zwinzscher at bod-datennetze.de
Wed Aug 24 15:32:22 CEST 2016
I have got a problem with the implementation of the freeradius and ldap-authentication.
I've running a freeradius version 2.2.8 and so far, everything is working well. Connetion to the AD works well. The ntlm_auth module also works if I do the test. But now the problem:
The clients are using Windows 7 , 8.1 or 10. If I do a manual login with username/password the authentication works well. But if I activate the option to use the windows login informations, the authentication fails. I got an MSCHAP error. So I tried a few things to figure out where the problem is.
radtest - t mschap username password localhost 0 testing123
This works very well. Ok...but the username comes with another format, if I do an authentication via Windows. So I tried following:
radtest -t mschap DOMAIN//username password localhost 0 testing123
Well...this also works. I recieve an access-accept packet. So I studied the logs more in detail and found out, that the first letter of the username is case sensitive. So I did a new test:
radtest -t mschap DOMAIN//Username password localhost 0 testing123
And here I got the same mschap-error as with the (automatic) windows authentication.
If I do a check with wbinfo -u I see every username written in lower case letters only. I also checked if the freerad user has permissions on winbindd_priv. Everything should be allright here. The "with-ntdomain-hack = yes" option is also enabled. So I really got no idea where to look next.
I have an almost identical setup running very well, also with windows-authentication. The only difference is that I use an older freeradius version here. I think it's 2.1.18.
Would be great if someone got some tipps for me. Thanks.
More information about the Freeradius-Users