On Mon, Jul 11, 2005 at 08:12:09PM -0400, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > > Try using just MS-CHAP with an NT password in SQL. Once that works, > > > PEAP will work. > > > > I am not entirely sure what you mean, so I tried a two different > > combinations. > > Find a RADIUS client that implements MS-CHAPv.
The native windows XP client uses MS-CHAPv2. Unless I decide to use a smartcard, the built-in client uses EAP type of PEAP and authentication of MS-CHAP-V2, /only/. > > See src/tests/mschapv1 for a sample script which can be used with > "radclient" to test MSCHAP. > I do not understand how radclient is any different compared to radtest. If I use the src/tests/mschapv1 script as input to radclient, do I not need to put some information in for user "Bob" into my SQL database? I am unsure how I need to change my radiusd.conf or authorization backend, to accommodate the script. If it is MS-CHAP-V2 which is failing, how will testing MS-CHAP-V2 with a MS-CHAP client help? I should see the same error when testing, that I see now, correct? rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: MS-CHAP-Response is incorrect. modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [bob/<no User-Password attribute>] (from client localhost port 0) > > EAP removed from authorization stanza: > > http://www.southwestern.edu/~johnk/eap_removed_authorization.txt > > If you tell the server not to use EAP, and then send it EAP > requests, it won't work. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html