I have already set it to "yes", but it doesn`t work in my case. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - From the comments in radiusd.conf (under the mschap config): > > # Windows sends us a username in the form of > # DOMAIN\user, but sends the challenge response > # based on only the user portion. This hack > # corrects for that incorrect behavior. > # > with_ntdomain_hack = yes > Set with_ntdomain_hack=yes should work for you. I had the same problem > when first using PEAP/MS-CHAPV2. > > Hope this helps. > > > Peter Zwilling wrote: >> Hello all, >> >> I'd like to run a Wireless LAN with a Windows XP SP2 Client, a >> FreeRADIUS 1.0.2 Server and a Windows 2003 Server with Active >> Directory. For the authentication PEAP and MS-CHAPv2 is used. This >> scenario works quite well when I am logged on as the local >> Administrator on the Client and I then use username, password and >> domainname for the logon to active directory via WLAN. >> >> But the problem is, when I want to logon with the same credientials at >> the Windows logon prompt, I get a message that the domain is >> unavailable. >> >> An abstract of the radius log details is shown below: >> >> ... >> modcall: entering group Auth-Type for request 22 >> rlm_mschap: No User-Password configured. Cannot create LM-Password. >> rlm_mschap: No User-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for host/ad.test.org with >> NT-Password >> radius_xlat: Running registered xlat function of module mschap for >> string 'Challenge' >> mschap2: cf >> radius_xlat: Running registered xlat function of module mschap for >> string 'NT-Response' >> radius_xlat: '/usr/bin/ntlm_auth --request-nt-key >> --username=host/ad.test.org --domain=test.org >> --challenge=cfb35490850a0c83 >> --nt-response=e4ad6e42383d30ab84725f3815b3961df9c4d5fb5aa76f80' >> Exec-Program: /usr/bin/ntlm_auth --request-nt-key >> --username=host/ad.test.org --domain=test.org >> --challenge=cfb35490850a0c83 >> --nt-response=e4ad6e42383d30ab84725f3815b3961df9c4d5fb5aa76f80 >> Exec-Program output: Logon failure (0xc000006d) >> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) >> Exec-Program: returned: 1 >> rlm_mschap: External script failed. >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >> modcall[authenticate]: module "mschap" returns reject for request 22 >> modcall: group Auth-Type returns reject for request 22 >> rlm_eap: Freeing handler >> modcall[authenticate]: module "eap" returns reject for request 22 >> modcall: group authenticate returns reject for request 22 >> auth: Failed to validate the user. >> PEAP: Tunneled authentication was rejected. >> rlm_eap_peap: FAILURE >> ... >> >> So, what I can see is that Windows uses the hostname, in this case >> "ad.test.org", for authentification. But I think this should be >> correct, because windows should attempt to use the machine account, if >> the user credientials are unavailable. >> >> So, why doesn't work the authentication with machine accounts? Does >> anybody have the same problems get freeradius working with active >> directory? >> >> Sorry, about my english, but I hope anybody can understand my problem. >> >> I would be very grateful if anybody can help me to solve this problem, >> because I have spent so much time for this project and I can not give >> it up. >> >> Best regards >> >> Peter >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCbq0UkeDzZCV99qsRAnmxAJ9wc0+nXf49ZRX1JKLA2F4vEKJBnwCfeNA3 > 6tIoeuoUwOzWibtS78hSAC4= > =+fB2 > -----END PGP SIGNATURE----- > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
