On 08/10/10 14:24, Mark Holmes wrote:
and I see the server returns Access-Accept.
Firstly, don't set Auth-Type. It's almost always the wrong thing to do.
Secondly, this is just testing PAP i.e. plain username/password auth.
Wireless typically uses 802.1x via EAP.
I then configure MS-CHAP, removing the DEFAULT Auth-Type from users
and editing modules/mschap as follows
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
That looks about right.
Output from radius -X at the bottom of this message. The bit that
looks relevant to me is
++[mschap] returns noop
No, you're misreading it - see below.
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"firstname.lastn...@mydomain.ox.ac.uk" [suffix] No such realm
"mydomain.ox.ac.uk"
However I'm not sure I need to worry about that bit - at the moment
this is just a single, stand alone RADIUS server so I'm not sure I
need to worry about realms or do I?....
Not for the moment.
Not sure where to go from here - are there some basic things I should
check? I haven't included my conf files in this post but happy to do
so if required.
Don't post the config files. The *full* debug output (from start to
failure) is what's needed. Something like:
/usr/sbin/radiusd -X | tee thelog.txt
EAP is a multi-pass protocol; there will be 4-8 requests, and the actual
MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS
tunnel is established, but before the failure is sent.
Output from -X
That's just the final packet.
> [peap] Had sent TLV failure. User was rejected earlier in this session.
> [eap] Handler failed in EAP/peap
This is an EAP-PEAP, not MS-CHAP request (hence the noop) The failure
occurred in an earlier packet; please post the full debug output.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html