Ok. I have it working. Wohoo! Ntlm_auth was killing me for a while, but I got that straightened out.
Now comes the corner cases. 25% of my users probably didn't follow the directions we published, and didn't put the domain name in the Microsoft 802.1x client box. Is there a way to construct that ntlm_auth statement so that it access both the domain, and no domain. Or, and this is sorta treading into samba territory, is there a way to configure samba for a default domain? This is the error when the username is presented as Username and not Domain\Username like it should be. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for twebmailb with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' rlm_mschap: No NT-Domain was found in the User-Name. radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 77 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=twebmailb --domain= --challenge=3b170dd9729f2b53 --nt-response=8fdb2d2d6c2cc506f5234fccdc36d46cee1ffede07d84ed9' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=twebmailb --domain= --challenge=3b170dd9729f2b53 --nt-response=8fdb2d2d6c2cc506f5234fccdc36d46cee1ffede07d84ed9 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, April 26, 2005 8:12 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS and Active Directory Hey, Michael, I'm betting your ntlm_auth command, where it uses the username, looks like this: --username=%{Stripped-User-Name:-%{User-Name:-None}} This is the default. Try changing your ntlm_auth line in your radiusd.conf to something like this: ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response} It's probably choking on the fact that your domain is showing up in the username. This should work in your scenario, that is as long as you can perform a proper ntlm_auth from the command-line, then the above should work for you using PEAP. --Mike K - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
