So I gave in and connected radius to my active directory (which we wish we could get rid of).
I'm getting the following error now Any thoughts on correcting this winbind error? [mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for VIDEOEGG\kplimack with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> VIDEOEGG\kplimack [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=VIDEOEGG\kplimack [mschap] expand: %{mschap:NT-Domain} -> VIDEOEGG [mschap] expand: --domain=%{%{mschap:NT-Domain}:-VIDEOEGG} -> --domain=VIDEOEGG [mschap] mschap2: a0 [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f83a0b16419a7f71 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=fa180186e7d362c5ee57c6c776619d4d72173918ebc17b93 Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect On 6/18/10 1:54 PM, "Arran Cudbard-Bell" <a.cudba...@googlemail.com> wrote: That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :) -Arran On Jun 18, 2010, at 1:50 PM, John Dennis wrote: > On 06/18/2010 04:03 PM, Kyle Plimack wrote: >> So how do I get pap to do it? > > If you're asking how to you get pap to do mschap then that's a nonsensical > question. > > Here is how things work: > > The client sends you a radius auth request, you don't get to decide what's in > it, the client does. > > The radius server looks the request and says > > "hmmm... lets see what do we have here? What can I do with this?" > > The answer to that is what auth types you have enabled, what the server can > lookup, and what's in the request. > > The server will do something like this: > > "Yo unix module, can you handle this one?" > > "Hey pap module, can you handle this one?" > > "Yo mschap module, can you handle this one?" > > At some point hopefully one of the modules will say: > > "No problem I got it" > > The decision as to whether a module can handle the request is made by the > module by looking at the data available to it. > > So lets say the client sends a request with a password and you've got pap > enabled. The pap module looks at the request and says > > "hmmm ... do I have a password for this user" > > if so then compare my copy of the password to what's in the request. > > How does radius find a user's password? By consulting it's backend data store > which can be the users file, a SQL database, or ldap. > > So before the pap module runs ldap will run. ldap says > > "hmm... Can I find passwords for this user?" If so I'll add them to the > request as a check item so my dear friend the pap module can use them, you > know that pap guy, he's always looking for passwords. > > But WAIT! What if the client sends a MSCHAP request? What does the radius > server say then? > > "Well that's a fine kettle of fish! That client has really really tied my > hands on this one" The only thing the server can do is run the mschap logic. > > The mshap module looks the request to see if there is a check item with > either a clear text password or nt-hash (why? look at the protocol table). If > those haven't been added by one of the datastores the mschap module says: > > "Sorry boss, no can do" > > But now the server has run out of options, it's only choice was mschap > because that's what the client sent it and the mscap module can't handle it. > So the server replies: > > "Loser! You ain't getting in here with those credentials" (Well really > Auth-Reject) > > > > -- > John Dennis <jden...@redhat.com> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html