[ale] Freeradius, MSCHAP, and Active Directory

Edward Holcroft eholcroft at mkainc.com
Thu Feb 26 14:47:13 EST 2015 

Make sure winbind is running. That held me up for the longest time.

Have you joined the Radius box to the AD domain?

What do you get when you do:

ntlm_auth --request-nt-key --domain=your.domain --username=Administrator

If you do not get NT_STATUS_OK: Success (0x0)

then you need to fix that first.


Do you have this entry under the mschap section?
>>
>>
>>                 with_ntdomain_hack = yes
>
>
> That got deprecated in favor of the "realm ntdomain" config as far as I
> can tell. So I don't have the hack enabled, but I do have:
>
> ```
> ntlm_auth = "/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-None}
> --domain=%{%{mschap:NT-Domain}:-None}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>


​Is that just an example that you're quoting, or is that your actual config
line? My working /etc/freeradius/modules/mschap​

​contains this:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{mschap:NT-Domain:-MKA.LOCAL}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

where MKA.LOCAL is my AD domain.
​
​I am using the with_ntdomain_hack=yes version of freeRadius, so cannot
comment on realm ntdomain.​

​ed​

-- 
Edward Holcroft | Madsen Kneppers & Associates Inc.
11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
O (770) 446-9606 | M (770) 630-0949

-- 
MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY 
NOTICE: This message may be confidential and/or privileged. If you are not 
the intended recipient, please notify the sender immediately then delete it 
- you should not copy or use it for any purpose or disclose its content to 
any other person. Internet communications are not secure. You should scan 
this message and any attachments for viruses. Any unauthorized use or 
interception of this e-mail is illegal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150226/146c2ddd/attachment.html>

More information about the Ale mailing list