Alan, Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be found in ldap, so the systems that did work before do not now:
radius_xlat: '(uid=MNU.EDU\\Matt)' radius_xlat: 'dc=mnu,dc=edu' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 25 It looks to me like the domain is not used in the calculation of ms-chap, otherwise it would not work at all when using with_ntdomain_hack, or am I missing something? I'll do a packet dump and come back with the results. -Matt MNU Network Administrator --- Original Message Below --- From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:44:33 -0500 "Matt Sapp" <[EMAIL PROTECTED]> wrote: > On the Centrino laptop, logging into the domain, wireless also comes up. > > However, the laptop with the Atheros card in it, when logging into > the domain rather than locally to the laptop, I get this when running > with -X: If one works and the other doesn't, then the ONLY difference is in the RADIUS requests. Compare the RADIUS requests from the two laptop authentications, and see what's different. The differences are breaking authentication. > I am using "with_ntdomain_hack = yes" in my configuration. See a post earlier today on the list. MS-CHAP depends on usernames. "with_ntdomain_hack = yes" means that the user name is changed, so MS-CHAP authentication will NOT work. Try setting "with_ntdomain_hack = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
