I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00}" } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } >From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html