On 2014-08-12, at 15:58 , "Stormont, Stephen (IMS)" <[email protected]>
wrote:
> When I entered the command that you suggested on the PacketFence/FreeRadius
> server, I got this:
>
> [root@pfcv sbin]# ntlm_auth --username=LT-T430-3\$
> --challenge=4ab096b446376d5f
> --ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7
> Logon failure (0xc000006d)
>
> Contents of mschp are below:
>
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}"
> }
Well, at least you can reproduce it reliably…
Your mschap file looks about right.
So I think the first step is to get user authentication working reliably.
It's probably easier to figure out why user auth is not working first since
it's easier to know if your password is correct.
What happens when you try user auth at the command line using ntlm_auth?
I.e.
# ntlm_auth --username=whatever
And if we compare with the FreeRADIUS debugging output for the same section?
Can you post the relevant lines for that please (same ones as for the computer
authentication)?
What happens when you try to authenticate a user with the same arguments to
ntlm_auth that FreeRadius uses (just as for the computer auth)?
If user authentication works when you enter the password manually but not when
freeradius tries it, then either the 802.1x client is not using a valid
password or the AD cannot find that user.
See this article for some background on ntlm:
http://msdn.microsoft.com/en-ca/library/windows/desktop/aa378749(v=vs.85).aspx
Have a look at the winbind logs (/var/log/samba/log.winbindd ).
There should be a line for each authentication attempt like the following:
[2014/08/13 09:31:56.156551, 3]
winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
[ 7023]: pam auth inverse.local\lmunro
How does the line differ between when you are authentication manually (from the
command line) as opposed to when FreeRadius calls winbind (and fails)?
Is the domain the same?
Of course it may help if you have some logs from the AD side as well.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
