I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
> I am trying to set up 802.1x on our network and I would like the users
> to be able to use their current Active Directory credentials.
>
> I need the AD domain to be stripped from the username so that I can
feed
> it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
> server.
>
> Here is part of my config file.
>
> Modules {
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
>
> eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = yes
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/cert-srv.pem
> certificate_file = ${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> fragment_size = 1024
> include_length = yes
> }
> peap {
> default_eap_type = mschapv2
> }
> mschapv2 {
> }
> }
>
> mschap {
> authtype = MS-CHAP
> with_ntdomain_hack = no
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI /
> --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
> --nt-response=%{mschap:NT-Response:-00}"
> }
> }
>
> authorize {
> preprocess
> ntdomain
> eap
> files
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> Mschap
> }
> eap
> }
>
> From the debug output:
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
> --username= --challenge=3d66c96d9aa150e6
> --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
>
> If I try ntlm_auth manually, it works fine:
> [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
> --username=chand
> password:
> NT_STATUS_OK: Success (0x0)
>
> Has anyone successfully used freeradius to authenticate against Active
> Directory (Windows 2003)?
>
> Chris Hand
> Network Engineer
> [EMAIL PROTECTED]
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
