On 19/04/11 14:59, East, Bill wrote:
Have you made sure that your root cert is present in the right stores -
remember windows
clients have both machine and per-user cert stores.
Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
Cool
This looks highly promising.
I've got the syntax right in mschap now, I think, but the challenge is still
being created strangely (or is it supposed to look like that?)
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password
[mschap] expand: %{mschap:User-Name} -> LP-0010$
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}}
-> --username=LP-0010$
[mschap] mschap2: ac
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=cc01b9d88b911c44
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time looking
at MS-CHAP blobs this last week)
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
...but obviously this didn't work.
What version of Samba do you have? Some (much) older versions didn't
permit machine account login via ntlm_auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html