Alan, Thanks for your reply.
>how are you testing this - a real client, command line tool etc? when you run >it in full >debug mode - and you arent helping yourself by failing to post that here I'm testing with a real client and access point. OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt > you should see the incantation of the ntlm_auth line - if not, then it's not > being called I can only see two references to ntlm_auth, this:- Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } And another line indicating the ntlm_auth config file is being included:- including configuration file /etc/raddb/modules/ntlm_auth Should I also see ntlm_auth being called during the authentication - presumably I should... Thanks, Mark -----Original Message----- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 10:41 To: FreeRadius users mailing list Subject: Re: Problem with MSCHAP Hi, > I've pasted my debug output into the web tool and it picks out the following > in red > > security { > max_attributes = 200 > reject_delay = 1 (This line in red) > status_server = yes > } > > > (all in red) > Module: Instantiating attr_filter.access_reject > attr_filter attr_filter.access_reject { > attrsfile = "/etc/raddb/attrs.access_reject" ignore those - the word 'reject' is being flagged without context. > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. (In yellow) okay. > I also see (not highlighted) that I'm still getting > > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. > [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password > [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. > [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working > I have configured modules/mschap to use ntlm_auth as follows > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name:-None} > --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html