LDAP / mschap Error

[Andreas Zwinzscher]

Dear freeradius-users,

I have got a problem with the implementation of the freeradius and ldap-authentication. 

I've running a freeradius version 2.2.8 and so far, everything is working well. Connetion to the AD works well. The ntlm_auth module also works if I do the test. But now the problem:

The clients are using Windows 7 , 8.1 or 10. If I do a manual login with username/password the authentication works well. But if I activate the option to use the windows login informations, the authentication fails. I got an MSCHAP error. So I tried a few things to figure out where the problem is.

radtest  - t mschap username password localhost 0 testing123

This works very well. Ok...but the username comes with another format, if I do an authentication via Windows. So I tried following:

radtest -t mschap DOMAIN//username password localhost 0 testing123

Well...this also works. I recieve an access-accept packet. So I studied the logs more in detail and found out, that the first letter of the username is case sensitive. So I did a new test:

radtest -t mschap DOMAIN//Username password localhost 0 testing123

And here I got the same mschap-error as with the (automatic) windows authentication. 

If I do a check with wbinfo -u I see every username written in lower case letters only. I also checked if the freerad user has permissions on winbindd_priv. Everything should be allright here. The "with-ntdomain-hack = yes" option is also enabled. So I really got no idea where to look next.

I have an almost identical setup running very well, also with windows-authentication. The only difference is that I use an older freeradius version here. I think it's 2.1.18. 

Would be great if someone got some tipps for me. Thanks.

Andreas