It's largely successful, but as I mentioned in my note to this group from the
29th, I've run into problems with Windows clients having a disagreement with
FreeRADIUS about the final stages of the PEAP-MSCHAPv2 conversation, after IAS
has authenticated them successfully.
- Jacob
On 31 Aug
That's the case here. Our AD servers are set to only accept NTLMv2, and they
won't budge from that. The workaround for us is to proxy the inner tunnel on
domain user authentications to IAS and let it handle talking to AD over NTLMv2.
There's a registry hack involved, and it either lets them
On 30/08/11 22:53, Danner, Mearl wrote:
Might be the LAN Manager authentication level on the 2K8 servers. It needs to be
downgraded. Probably to Send LM and NTLM.
Samba used to put a note about that in the documentation.
That's related to the LM/NT hashes used to authenticate an SMB
On 30/08/11 21:12, Glenn Machin wrote:
Phil - thanks for the feedback.
I just ended up proxying out to the IAS server usernames starting with
DOMAIN\.
Ok. Obviously that will fail if enters their wireless credentials
without a domain.
I configured the freeradius server to not support
Jacob Dawson wrote:
That's the case here. Our AD servers are set to only accept NTLMv2, and they
won't budge from that. The workaround for us is to proxy the inner tunnel on
domain user authentications to IAS and let it handle talking to AD over
NTLMv2. There's a registry hack involved,
Phil - thanks for the feedback.
I just ended up proxying out to the IAS server usernames starting with
DOMAIN\.
I configured the freeradius server to not support mschapv2 but will
support PEAP/GTC EAP/TLS.
It seems to be working fine with the Macs, iPads and Linux systems while
the
Glenn Machin wrote:
It still bugs that ntlm_auth would not authenticate to the domain
controllers the challenge and nt-response.
It could be a Samba bug. See comments in eap.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Might be the LAN Manager authentication level on the 2K8 servers. It needs to
be downgraded. Probably to Send LM and NTLM.
Samba used to put a note about that in the documentation.
It still bugs that ntlm_auth would not authenticate to the domain
controllers the challenge and
I using radiusd: FreeRADIUS Version 2.1.11.
I cannot seem to get the RHEL5 (2.6.18-238.9.1.el5) ntlm_auth program to
properly authenticate the challenge and nt-response packets.
If I set the password using clear-text and also set
MS-CHAP-Use-NTLM-Auth, the authentication works fine. The
9 matches
Mail list logo