I took Alan Buxey's advice and installed FreeRADIUS 2.1.10 and Samba 3.5.6-86.
After solving other problems along the way, I got to the final test of FR with AD and ntlm_auth using 'eapol_test'. This gave the Certificate_Compatibility warning. I then went back through the process of creating production certificates: Deleted *csr, *key, ca.pem, server.crt, server.p12. Cleared the contents of index.txt (to prevent an error with openssl). Ran 'make'. Ensured all files in certs directory are group owned by 'radiusd' group. Successfully ran 'eapol_test' against various config files with ca_cert entry un-commented. However, running 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' on the server on which FreeRadius is installed still fails with the Certificate Compatibility warning. Can anyone help me work out what I've done wrong or not done? Thanks Martin. peap-mschapv2-cert-ntlm_auth.conf ================================= # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # # eapol_version=1 # fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" # anonymous_identity="anonymous" password="PASSWORD" phase2="autheap=MSCHAPV2" # priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } ca.cnf ====== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW x509_extensions = v3_ca [certificate_authority] countryName = UK stateOrProvinceName = United Kingdom localityName = West of England organizationName = UWE emailAddress = email_addr...@uwe.ac.uk commonName = "UWE, Bristol" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true server.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW [server] countryName = UK stateOrProvinceName = United Kingdom localityName = West of England organizationName = UWE emailAddress = email_addr...@uwe.ac.uk commonName = "UWE, Bristol" client.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW [client] countryName = UK stateOrProvinceName = United Kingdom localityName = West of ENgland organizationName = UWE emailAddress = email_addr...@uwe.ac.uk commonName = "UWE, Bristol" P.S. Let me know if it would help to include other files. -----Original Message----- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 17 October 2011 09:21 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html