On Fri, May 17, 2013 at 2:09 AM, Wang, Yu <ywan...@fsu.edu> wrote: > > Hello, > > > > I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of > our wireless users cannot authenticate after the upgrade. The backend > authentication server is Active Directory and we use ntlm_auth from winbind > to pass MSCHAPv2 response from FR to AD.
> rlm_perl: Added pair NT-Password = > 0x4444333431333443313741333642433142444136383333324232323239443431 > [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html