On 01/12/2012 01:23 PM, lmgo5991 wrote:
Hi,
Could someone please shed some light on the where we are going wrong. We
have followed the documentation provided however it is unclear where to
reference our internal ad servers.
Your subject line is a bit confusing. You say "proxy settings" but I see
no evidence that you are doing any proxying; you appear to just be doing
normal local authentication.
It seems you are trying to do PEAP/MSCHAP. Validating MSCHAP requires
either:
1. The NT hash
2. The plaintext password, from which the NT hash can be generated
3. Access to a 3rd party machine that can check the challenge/response
for you
See:
http://deployingradius.com/documents/protocols/compatibility.html
If your account details are stored in active directory, you can only use
option 3. This translates into:
1. Install Samba
2. Join Samba to the domain
3. Start winbind
4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the
AD controllers
See:
http://wiki.freeradius.org/FreeRADIUS%20Active%20Directory%20Integration%20HOWTO
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: radldapu...@gcu.ac.uk
[mschap] Told to do MS-CHAPv2 for radldapu...@gcu.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
As you can see, FreeRADIUS can't check your password because it doesn't
know it.
Note: you CANNOT USE LDAP to solve this problem. Active Directory does
not expose the required data over LDAP. You MUST use Samba & ntlm_auth.
Hope this helps.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
