Re: Freeradius, PEAP, Active Directory and --require-membership-of

Thu, 02 Oct 2008 10:41:34 -0700 

As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).

Ivan Kalik
Kalik Infromatika ISP

Dana 2/10/2008, "Vieri" <[EMAIL PROTECTED]> piše:

>Hi,
>
>I'm running freeradius-2.0.5 on Linux.
>
>My setup is as follows:
>
>Windows Vista native client - Linksys AP - FreeRadius Linux server 
>(PEAP/mschapv2) - Active Directory Windows server
>
>Everything works smoothly with the following ntlm_auth parameters in the 
>mschap module:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
>--username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>However, user authentication is rejected when I add the --domain parameter:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I 
>run the freeradius daemon with debug enabled I see that it "correclty" reeives 
>'DOMAIN\username')
>
>For starters, I don't understand why authentication fails if I add --domain. 
>How can I find out why?
>
>Then, adding --require-membership-of with or without --domain also fails.
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} 
>--nt-response=%{mschap:NT-Response:-00}"
>
>Finally, running ntlm_auth from the command line yields:
>
># ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser 
>--require-membership-of='DOMAIN\\WIFI'
>password:
>NT_STATUS_OK: Success (0x0)
>
>Could it be a "bug" in the freeradius version I'm running?
>
>Can anyone please suggest how I can debug this (not a radius expert ;-) )?
>
>Regards,
>
>Vieri
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to