Hi Alan,
hmm, it seems not working by me. In the Debug Log you can see, that the radius Server send the CHAP-Error to the Supplicant. And on Windows 7 side, i got an Invalid Login but NOT a Password Change window. But this should Pop up with enabled passchange feature, right ? I enabled the passchange config in mschap module without success. What is wrong there ? DEBUG LOG: ########## (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) group authenticate { (8) - entering group authenticate {...} (8) eap : Request found, released from the list (8) eap : EAP/mschapv2 (8) eap : processing type mschapv2 (8) mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) mschapv2 : group MS-CHAP { (8) mschapv2 : - entering group MS-CHAP {...} (8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack? (8) mschap : Creating challenge hash with username: DOMAIN\test-user3 (8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password (8) mschap : expand: %{Stripped-User-Name} -> (8) mschap : ... expanding second conditional (8) mschap : expand: %{User-Name} -> DOMAIN\test-user3 (8) mschap : expand: %{%{User-Name}:-None} -> DOMAIN\test-user3 (8) mschap : expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=DOMAIN\test-user3 (8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack? (8) mschap : Creating challenge hash with username: DOMAIN\test-user3 (8) mschap : expand: %{mschap:Challenge} -> 4b4be3875649ba1a (8) mschap : expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4b4be3875649ba1a (8) mschap : expand: %{mschap:NT-Response} -> a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2 (8) mschap : expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2 Exec-Program output: Password expired (0xc0000648) Exec-Program-Wait: plaintext: Password expired (0xc0000648) Exec-Program: returned: 1 (8) mschap : ntlm_auth says password has expired (8) [mschap] = reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. (8) eap : Handler failed in EAP/mschapv2 (8) eap : Failed in EAP select (8) [eap] = invalid (8) Failed to authenticate the user. (8) Login incorrect: [DOMAIN\\test-user3/<via Auth-Type = EAP>] (from client switches port 0 via TLS tunnel) } # server inner-tunnel (8) peap : Got tunneled reply code 3 MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (8) peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (8) peap : Tunneled authentication was rejected. (8) peap : FAILURE (8) [eap] = handled Sending Access-Challenge of id 128 to 192.168.15.52 port 2686 EAP-Message = 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7cb2ed6374bef496dfd35c4e86820391 (8) Finished request 8. Waking up in 0.1 seconds. rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686, id=129, length=262 Framed-MTU = 1480 NAS-IP-Address = zzz.aaa.xxx.yyy NAS-Identifier = "SWITCHxxx" User-Name = "DOMAIN\\test-user3" Service-Type = Framed-User Thanks a lot, C. >CD DD wrote: >> and how do i get this working ? > > read raddb/mods-available/mschap > > Alan DeKok. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html