Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

Mon, 23 Aug 2004 13:02:31 -0700

Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'.

Hand, Chris wrote:

I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.

I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.

Here is part of my config file.

Modules {
realm ntdomain {
        format = prefix
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
}

eap {
        default_eap_type = peap
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = yes
        tls {
                private_key_password = whatever
                private_key_file = ${raddbdir}/certs/cert-srv.pem
                certificate_file = ${raddbdir}/certs/cert-srv.pem
                CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                dh_file = ${raddbdir}/certs/dh
                random_file = ${raddbdir}/certs/random
                fragment_size = 1024
                include_length = yes
        }
        peap {
                default_eap_type = mschapv2
        }
        mschapv2 {
        }
}

mschap {
        authtype = MS-CHAP
        with_ntdomain_hack = no
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}"
}
}

authorize {
        preprocess
        ntdomain
        eap
        files
}

authenticate {
        Auth-Type MS-CHAP {
                Mschap
        }
        eap
}

From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1

If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password: NT_STATUS_OK: Success (0x0)

Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?

Chris Hand Network Engineer
[EMAIL PROTECTED]




- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to