Yes it works with an entry in the user file +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for s.hotz with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled
It works as well if I try it with the ntlm command from the radius server /usr/bin/ntlm_auth --request-nt-key --domain=domain--username=s.hotz So is my guess correct that I have to investigate further in the ntlm_auth command in the mschap module? I have tried different parameters. Right now it looks like: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ________________________________ Von: Ivan Kalik <t...@kalik.net> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Gesendet: Donnerstag, den 17. September 2009, 19:30:15 Uhr Betreff: Re: AW: Authentication with eap/mschapv2 > I have tried now both with or without encryption > > Module: Instantiating mschap > mschap { > use_mppe = yes > require_encryption = no > require_strong = no > with_ntdomain_hack = yes > > unfortunately the result is still the same > > Found Auth-Type = EAP > +- entering group authenticate {....} > [eap] Request found, released from the list > [eap] EAP/mschapv2 > [eap] processing type mschapv2 > rlm_eap_mschapv2: Invalid response type 4 > [eap] Handler failed in EAP/mschapv2 > [eap] Failed in EAP select > ++[eap] returns invalid > Failed to authenticate the user. > > Does it make sense to enable the encryption for mschap since the eap > tunnel (as far I have understood) is the whole way from the client to the > radius server. MPPE is encrypting connection between the user and NAS. Nothing to do with authentication encryption. Does PEAP work for username/pass in users file? Comment out ntlm_auth line in mschap module and see if authentication can complete like that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html