Hello all: I am trying to setup a 802.1x WiFi authentication system using freeradius. My setup is as follows:
Windows XP SP2 as the supplicant using PEAP/MSCHAPv2 Cisco Aironet 1231 Freeradius 1.1.0 IBM Lotus Domino LDAP The process is mostly working - Freeradius binds to LDAP properly, the User gets authorized, Freeradius pulls the correct password hash from the Domino LDAP server.. But, then the MSCHAP portion fails. Portion of the log is shown below which I believe shows the problem. I am thinking that the problem is that I am not telling Freeradius how to hash the supplied password correctly to match the Domino password. The aggravating part is that we are using the exact same Domino LDAP server to authenticate our VPN users. Full (sanatized) copy of the debug output is here: http://www.xbytenetworks.com/debug-log.txt Copy of Radiusd.conf is here: http://www.xbytenetworks.com/radiusd.conf Thanks in advance for any help you can offer. Jon rlm_ldap: - authorize rlm_ldap: performing user authorization for jon.giza radius_xlat: '(uid=jon.giza)' radius_xlat: 'OU=Waukesha,OU=NA,O=MyCo' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Waukesha,OU=NA,O=MyCo, with filter (uid=jon.giza) rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jon.giza authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: Told to do MS-CHAPv2 for jon.giza with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. Login incorrect: [jon.giza/<no User-Password attribute>] (from client wifi.myco.com port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 152 to 10.100.224.235 port 1645 EAP-Message = 0x010800261900170301001b1bb3ec40925325e30990ce3b14a78af7abc1f7222d06716740d2 ff Message-Authenticator = 0x00000000000000000000000000000000 State = 0x132496908cd3121e6967d7ddafcdd795 Finished request 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html