problem with radtest and freeradius 3.0.26
Alan DeKok
aland at deployingradius.com
Mon Jan 29 19:30:54 UTC 2024
On Jan 29, 2024, at 1:33 PM, Dean Guenther <deanrguenther at gmail.com> wrote:
> The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf. And "
> TESTDOMAIN.COM" is the realm in the smb.conf.
>
> If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run
> radtest it fails. And using TESTDOMAIN while running ntlm_auth from the
> command line succeeds.
>
> And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth
> specification then radtest still fails. And using TESTDOMAIN.COM while
> running ntlm_auth from the command line succeeds.
It's good to test all options, but there is a lot more information there than "it succeeds" or "it fails".
The issue is also that "running ntlm_auth from the command line" is testing ntlm_auth with passwords, not with the MS-CHAP data. So it's not really the same test.
> What else should I be looking at?
The debug output.
You can't debug the server by looking at the raddest output.
The server debug output will tell you WHY it fails, and WHAT is failing.
The MS-CHAP calculations depend on both the password and the user name which is entered. The client system (e.g. Windows) does the MS-CHAP calculations, and hands the result to FreeRADIUS. FreeRADIUS then takes that, and hands it to Windows.
So if it fails, then the issue is almost always outside of FreeRADIUS.
I've put some updated documentation into the mschap module: https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap
Try the instructions there for debugging it. That should help.
Alan DeKok.
More information about the Freeradius-Users
mailing list