PS: I apparently have to leave the "DEFAULT Auth-Type = ntlm_auth " in the users file or "nothing" works. FWIW I am exclusively using AD/ntlm_auth for all auth types, so hopefully this won't matter? I did find a Wiki article about updating the control such that if Auth-Type doesn't exist then set it to ntlm_auth. I have this in my 2.1.6 deployment, so may copy it over here as well. I'm trying to change as little as possible from the default confs....
________________________________ From: Gary Gatten Sent: Wednesday, May 11, 2011 3:13 PM To: FreeRadius users mailing list Subject: MSCHAP failing on new 2.1.10 install PAP works, MSCHAP fails - specifically MSCHAPv2. This is a fresh install of 2.1.10, built from source. I'm using ntlm_auth; samba version 3.0.33-3.7.el5 I also have version 2.1.6 running on the same box and it "mostly" works: seems to work with everything except Winblows7, hence I installed 2.1.10 in a different dir structure and it's listening on different ports. I just tested a login using the same user account and pw; works great on 2.1.6 but fails on 2.1.10. I've tried 4 or 5 different command strings for ntlm_auth - no go. It's as if mschap is not using ntlm_auth, but not sure. I'll keep checking and googling, but any hints would be appreciated! TIA! Gary I've changed only the minimum from the default, clients.conf and the recommended for integrating with AD: http://deployingradius.com/documents/configuration/active_directory.html rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=19, length=224 NAS-IP-Address = 1.1.2.4 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "netengtest" Calling-Station-Id = "000000000000" Called-Station-Id = "000B8661BF34" MS-CHAP-Challenge = 0x9b1a142405c7a0dbe4f486d9d3fb2090 MS-CHAP2-Response = 0x00006cda5d434c296668b7f2b446899e01af0000000000000000419c6cfec984b856377a6c40c6144373a1dbc14f777ce8eb Service-Type = Login-User Aruba-Location-Id = "N/A" NAS-Identifier = "My802.11controller" Message-Authenticator = 0x02610ba4a72cdc35ce94415f1ae46dcb # Executing section authorize from file /devel/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "netengtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /devel/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: netengtest [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /devel/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> netengtest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 19 to 1.1.2.4 port 33350 Waking up in 4.9 seconds. Cleaning up request 3 ID 19 with timestamp +372 Ready to process requests. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html