[ale] Freeradius, MSCHAP, and Active Directory

Thu Feb 26 15:17:39 EST 2015

On Thu, Feb 26, 2015 at 2:47 PM, Edward Holcroft <eholcroft at mkainc.com>
wrote:

> Make sure winbind is running. That held me up for the longest time.
>
> Have you joined the Radius box to the AD domain?
>
> What do you get when you do:
>
> ntlm_auth --request-nt-key --domain=your.domain --username=Administrator
>
> If you do not get NT_STATUS_OK: Success (0x0)
>
> then you need to fix that first.
>

Stated in my original post that is all working.

>
>
> Do you have this entry under the mschap section?
>>>
>>>
>>>                 with_ntdomain_hack = yes
>>
>>
>> That got deprecated in favor of the "realm ntdomain" config as far as I
>> can tell. So I don't have the hack enabled, but I do have:
>>
>> ```
>> ntlm_auth = "/bin/ntlm_auth --request-nt-key
>> --username=%{%{mschap:User-Name}:-None}
>> --domain=%{%{mschap:NT-Domain}:-None}
>> --challenge=%{%{mschap:Challenge}:-00}
>> --nt-response=%{%{mschap:NT-Response}:-00}"
>>
>
>
> Is that just an example that you're quoting, or is that your actual
> config line? My working /etc/freeradius/modules/mschap
>
> contains this:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{mschap:NT-Domain:-MKA.LOCAL}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> where MKA.LOCAL is my AD domain.
> 
> I am using the with_ntdomain_hack=yes version of freeRadius, so cannot
> comment on realm ntdomain.
>

That is my actual config line. It works just fine when a username that
doesn't have the escape sequence for the tab character in it authenticates.

-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150226/9d7f61fa/attachment.html>