Following this guide, I am trying to set up FreeRADIUS to authenticate against Active Directory. I can get an Access-Accept
message when I send the password in plaintext (using the DEFAULT Auth-Type = ntlm_auth
method); however, I want to use mschapv2 so the password is not sent in plaintext.
when I do:
radtest -t mschap user pass 10.10.1.21 0 d34db33f
I get:
Sending Access-Request Id 144 from 0.0.0.0:41971 to 10.10.1.21:1812
User-Name = 'user'
NAS-IP-Address = 10.10.7.178
NAS-Port = 0
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xc118ac9d5a2fbfd0
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf
Received Access-Reject Id 144 from 10.10.1.21:1812 to 10.10.7.178:41971 length 38
MS-CHAP-Error = '\000E=691 R=1'
(0) Expected Access-Accept got Access-Reject
On the server, if I do:
/usr/bin/ntlm_auth --request-nt-key --username=user --challenge=0xc118ac9d5a2fbfd0 --nt-response=0x00010000000000000000000000000000000000000000000000003f0b91a63532bc231468ae3034fa0788e64e28efa4832ecf
I get:
Logon failure (0xc000006d)
It sounds to me like I have a problem with the conversion to mschap. What do I need to edit so that I may authenticate properly?
Best Answer
Turns out the problem I was having was related to the freerad user not being able to access the winbind socket. More info here
Quote: