RE: 802.1x, PEAP, and AD

[Ron Wahler]

Did you try just

--username=%{Stripped-User-Name:-None}

Ron.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 20, 2005 9:39 AM
To: freeradius-users@lists.freeradius.org
Subject: 802.1x, PEAP, and AD

Hi all,

I'm having an issue doing PEAP against AD.  I have most of it working,
except for this.  If I use the ntlm_auth line "ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}" in the MSCHAP section, I get the
following debug output:

Wed Jan 19 23:56:26 2005 : Debug: modcall: entering group Auth-Type for
request 6
Wed Jan 19 23:56:26 2005 : Debug:   modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Wed Jan 19 23:56:26 2005 : Debug:   rlm_mschap: No User-Password
configured.  Cannot create LM-Password.
Wed Jan 19 23:56:26 2005 : Debug:   rlm_mschap: No User-Password
configured.  Cannot create NT-Password.
Wed Jan 19 23:56:26 2005 : Debug:   rlm_mschap: Told to do MS-CHAPv2 for
mcapelle with NT-Password
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'Challenge'
Wed Jan 19 23:56:26 2005 : Debug:  mschap2: 46
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'NT-Response'
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat:  '/usr/bin/ntlm_auth
--request-nt-key --username=AMS\\mcapelle --challenge=49ef2649993xxxxx
--nt-response=acb812c77520cad273a2dbf044b669d9d3e0ed08xxxxxxxx'
Wed Jan 19 23:56:26 2005 : Debug: Exec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=AMS\\mcapelle --challenge=49ef2649993xxxxx
--nt-response=acb812c77520cad273a2dbf044b669d9d3e0ed08xxxxxxxx
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program output: Logon failure
(0xc000006d)
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program-Wait: plaintext: Logon
failure (0xc000006d)
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program: returned: 1
Wed Jan 19 23:56:27 2005 : Debug:   rlm_mschap: External script failed.
Wed Jan 19 23:56:27 2005 : Debug:   rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect

But if I replace the %{Stripped-User-Name:-%{User-Name:-None}} with
"mcapelle" the auth works.  Try as I might, I cannot figure out what I need
to put after --username to end up with this format username for the
ntlm_auth request.  Can anyone help?

Thanks,
Mark Capelle


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html