Hi Phil, and Alan,
I will get you the debug output for Windows XP SP3 boxes (likely Monday).
I will summarise what we have. Basically, this is a setup where the
client is using eDirectory to authorize the users using the rlm_ldap
module. On the windows boxes, it is configured to do PEAP using
MSCHAPv2. When we send a host credential (ie.
host/mycomputer.domain.tld) it will pass the authorization and during
the authentication phase, it will use ntlm_auth to ensure that the
machine is member of the domain. That part is working fine, the mschap
module does its job. For the users, they have windows 7s and windows
XPs. Windows 7 appears to be working without problems since the
username is sent without the computer name as the domain prefix. The
problem comes with the windows XP boxes. If we let windows send the
credentials automatically (when novell logs in), the LDAP authorization
will work properly, but the authentication will fail even if the
Cleartext-Password attribute is set by the LDAP module. It will throw
that MS-CHAP error. We also ensure that everything that comes from
something that is not matching host/something will use the
MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to
disable the "automatically send username" thing and only send the
username without the domain name. However, the user experience will
definitely be terrible.
The NAS Client is an Avaya Access Point.
Thanks for your feedbacks guys, it is appreciated. I will get you the
debug information and the sites configuration as soon as I can.
Have a nice weekend.
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
