HI Alan Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says
"Start the server and use a test client to send an MS-CHAP authentication request. The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above." Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand "There's no User-Password in MS-CHAP." Regards Dhiraj Gaur On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok <al...@deployingradius.com>wrote: > Dhiraj Gaur wrote: > > I have been trying to implement radius authetication server at my > > workplace. The idea is to have all wifi access points authenticate > > against a radius server. > > That is a common deployment, and should be easy to do. > > > The radius server needs to pass authentication to a backend Active > > Directory server. I have been sucessful in authenticating wifi users > > against file based and SQL based authentication in radius. NTLM_AUTH > > using PAP also works fine, wherein plaintext password is sucessfully > > authenticated against the AD and I get an "Access-Accept". However when > > I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is > > not working and I end up in a "Access-Reject". > > CHAP will *not* work with AD. See my web site: > > http://deployingradius.com/documents/protocols/compatibility.html > > > Seems like that the > > ntlm_auth program is not parsing the received encrypted password hence > > the authetication fails. MSCHAP is a requirement as wifi clients at my > > place mostly have eap supplicant. (Read in freeradius documentation that > > eap and ldap doesnt go hand in hand, I may be wrong at interpreting the > > same) > > You've misconfigured the server. You have it trying to do ntlm_auth > using the User-Password, and then sending it an MS-CHAP authentication. > There's no User-Password in MS-CHAP. > > Follow the instructions on my web site for configuring ntlm_auth: > > http://deployingradius.com/documents/configuration/active_directory.html > > And then follow the other instructions for getting EAP to work. > > > The freeradius logs for all the cases is listed below. Radius gurus > > please point me to the right direction as to make MS_CHAP authentication > > owrk over ntlm_auth or ldap(if possible). > > > > PS: I did all the testing using JRadius simulator. > > FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP. > That should be all you need. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Regards Dhiraj Gaur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html