Hi, > I'm new to freeradius, I'm working on setting it up to authenticate users to > our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against > Active Directory. I'm using samba and ntlm_auth.
okay - a fairly standard setup for modern 802.1X > Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29 okay - the right 'blend'..as it were > I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = > ntlm_auth in users and then do you dont need to set Auth-Type for the MSCHAPv2 stuff... you might need it if, for example, you wanted to do MSCHAPv2 AND kerberos for different type of requests - even then, you only need to set kerberos to be the Auth-Type as the EAP module is intelligent > I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and > editing modules/mschap as follows > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name:-None} > --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) > Output from radius -X at the bottom of this message. The bit that looks > relevant to me is what you have posted is the 'replay' of a transaction - try starting the daemon up and launching the request ASAP - ie so what we have is straight after the 'listen and ready' line - especially as with your current ntlm_auth line I'd expect to see a deprecated warning > [suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = > "firstname.lastn...@mydomain.ox.ac.uk" > [suffix] No such realm "mydomain.ox.ac.uk" > > However I'm not sure I need to worry about that bit - at the moment this is > just a single, stand alone RADIUS server so I'm not sure I need to worry > about realms or do I?.... it'd still be best to define that realm, if using prefix, to be local eg in proxy.conf realm mydomain.ox.ac.uk { strip } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html