On Thu, 2009-02-19 at 11:33 +0100, t...@kalik.net wrote: > I have news for you - you haven't done any of this: > > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf > > > Module: Instantiating mschap > > mschap { > > use_mppe = yes > > require_encryption = no > > require_strong = no > *> with_ntdomain_hack = no* > > } > > Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So: > > >[mschapv2] +- entering group MS-CHAP {...} > >[mschap] NT Domain delimeter found, should we have enabled > >with_ntdomain_hack? > > Server asks about the hack. > > >[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password > >[mschap] FAILED: MS-CHAP2-Response is incorrect > >++[mschap] returns reject > > And it isn't using ntlm_auth. > > You have an updated manual (relevant to freeradius 2.x) at: > > http://deployingradius.com/documents/configuration/active_directory.html > Ivan, thanks for pointing this out, I did not understand where do I need to configure mschap so I've just appended ntlm_auth and nt hack strings to the end of radiusd.conf, I've removed that now and updated modules/mschap file, when radius starts I can clearly see it now picks it up: Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }
and it works!I authenticate My question now is, how do I login to AD using a new user that has never logged on to the box before? I'm getting an error saying domain AD unavailable, but if I use username that I used to login before 802.1x enforcement all is looking good... Thanks all for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html