I retyped the config. That is a typo. It should be '--challenge'. -Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Bender Sent: Monday, August 23, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: > I am trying to set up 802.1x on our network and I would like the users > to be able to use their current Active Directory credentials. > > I need the AD domain to be stripped from the username so that I can feed > it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 > server. > > Here is part of my config file. > > Modules { > realm ntdomain { > format = prefix > delimiter = "\\" > ignore_default = no > ignore_null = no > } > > eap { > default_eap_type = peap > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = yes > tls { > private_key_password = whatever > private_key_file = ${raddbdir}/certs/cert-srv.pem > certificate_file = ${raddbdir}/certs/cert-srv.pem > CA_file = ${raddbdir}/certs/demoCA/cacert.pem > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > fragment_size = 1024 > include_length = yes > } > peap { > default_eap_type = mschapv2 > } > mschapv2 { > } > } > > mschap { > authtype = MS-CHAP > with_ntdomain_hack = no > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI / > --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / > --nt-response=%{mschap:NT-Response:-00}" > } > } > > authorize { > preprocess > ntdomain > eap > files > } > > authenticate { > Auth-Type MS-CHAP { > Mschap > } > eap > } > > From the debug output: > radius_xlat: Running registered xlat function of module mschap for > string 'Challenge' > radius_xlat: Running registered xlat function of module mschap for > string 'NT-Response' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI > --username= --challenge=3d66c96d9aa150e6 > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 > Exec-Program-Wait: plaintext: Logon failure (0xc000006d) > Exec-Program: returned: 1 > > If I try ntlm_auth manually, it works fine: > [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / > --username=chand > password: > NT_STATUS_OK: Success (0x0) > > Has anyone successfully used freeradius to authenticate against Active > Directory (Windows 2003)? > > Chris Hand > Network Engineer > [EMAIL PROTECTED] > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html