Re: Problem with MSCHAP

Fri, 08 Oct 2010 06:59:11 -0700 

Hi,

> I'm new to freeradius, I'm working on setting it up to authenticate users to 
> our wireless network.  We want to use PEAP-MSCHAPv2 and authenticate against 
> Active Directory.  I'm using samba and ntlm_auth.

okay - a fairly standard setup for modern 802.1X

> Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29

okay - the right 'blend'..as it were

> I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = 
> ntlm_auth in users and then do

you dont need to set Auth-Type for the MSCHAPv2 stuff... you might need it if, 
for example, you wanted
to do MSCHAPv2 AND kerberos for different type of requests - even then, you 
only need to set kerberos
to be the Auth-Type as the EAP module is intelligent

> I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and 
> editing modules/mschap as follows
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
> --username=%{mschap:User-Name:-None} 
> --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} 
> --nt-response=%{mschap:NT-Response:-00}"

do you REALLY want to accept what the user puts in as the gospel truth?  ie, I 
wouldnt be comfirtable
taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it 
really was a local user!)

> Output from radius -X at the bottom of this message.  The bit that looks 
> relevant to me is

what you have posted is the 'replay' of a transaction - try starting the daemon 
up and launching
the request ASAP - ie so what we have is straight after the 'listen and ready' 
line - especially
as with your current ntlm_auth line I'd expect to see a deprecated warning

> [suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = 
> "[email protected]"
> [suffix] No such realm "mydomain.ox.ac.uk"
> 
> However I'm not sure I need to worry about that bit - at the moment this is 
> just a single, stand alone RADIUS server so I'm not sure I need to worry 
> about realms or do I?....

it'd still be best to define that realm, if using prefix, to be local eg in 
proxy.conf

realm mydomain.ox.ac.uk {
        strip      
  }

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to