Cory Johnson wrote: > When I try to log into the VPN from a Windows client, I get the error > message: "Error 691: Access was denied because the user name and/or > password was invalid on the domain.", but radius logs show > "Access-Accept".
You misconfigured the server, and broke it. > My major difference is that I am using a LDAP backend > which contains NT passwords (it is also the LDAP backend for my samba > server). It's not using the NT Passwords. See the debug log. > Tried fiddling with mppe and encryption settings in the mschap module, > but always get the same results. The issue isn't the mschap module. It's elsewhere. > "freeradius -X" debug below, as always any reply would be great. > > > rad_recv: Access-Request packet from host 192.168.1.55 port 43210, > id=116, length=166 > NAS-Identifier = "pfsense.local" > NAS-Port = 0 > NAS-Port-Type = Virtual > Service-Type = Framed-User > Framed-Protocol = PPP > Calling-Station-Id = "192.168.1.153" > User-Name = "cjohnson" > MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f > MS-CHAP2-Response = > 0x0100991b81f3bbq3859d8qa75ae826662d8600000000000000009584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2 ... > Found Auth-Type = Accept > Auth-Type = Accept, accepting the user You have configured the server to *force* Auth-Type. Don't do that. The "Auth-Type := Accept" forces the server to *not* do MS-CHAP authentication. The client sees that the required MS-CHAP data is missing from the response, and concludes that the server is broken, or lying to it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
