Users in SQL not accepted, AD works.

Alan DeKok aland at
Tue Jan 9 02:19:43 UTC 2024

On Jan 8, 2024, at 7:22 PM, it at wrote:
> we have a (working) FreeRadius 3.2.3 instance which is connected to our AD through ntlm_auth (but also fetches some additional fields from LDAP). Not sure if this is intended the way we built it, but it worked so far. We now wanted to add SQL (to allow temporary users). For that, we followed the official guide (SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu). This works well when testing with NTRadPing but fails when connecting a device (in this case, a Windows 10 PC).=

  It can be complex to merge two different guides.  It requires careful attention to detail, as not all of the complexities are due to FreeRADIUS.

> If we correctly understood the guide, this should work pretty much out of the box; still, we neitzer can get it to work nor do we fully understand what is actually causing this behaviour. Is this an issue with MSCHAP? If so, how do we fix it?
> We attached both, our sites-enabled/default file and the debug output of the server while connecting a client with credentials stored in SQL. I can also provide the log of a client connecting with credentials stored in the AD if that helps.

   We don't need to see configuration files.  It doesn't help.

> (12) Sent Access-Challenge Id 183 from to length 172
> (12)   EAP-Message = 0x010e007219001703030067acbcc879c7f014975048c725f1bdd58720924cb98185edbe87e1cbd52be48d1664eef7bdffe3548f1e7b0d5047c7e60b59261276208a1b1b1957eb47d153e7393b0cabef8771c2861f46f0b37bf6af94595005e9efbcb5575fbfc87655ed3baace403e894e467a
> (12)   Message-Authenticator = 0x00000000000000000000000000000000
> (12)   State = 0xbddf205cb1d139b6f7c918f7a32a79be
> (12) Finished request
> Waking up in 3.6 seconds.

  And then nothing happens.

  The supplicant isn't configured with the CA cert used by FreeRADIUS.

  If you leave the server in debug output for long enough (~30s) and send it more packets, it will print out a link to the Wiki which tells you exactly what's going wrong.

  Alan DeKok.

More information about the Freeradius-Users mailing list