I was following this tutorial: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto to setup AD integration but I am still experiencing problem with FreeRadius.
When I use
radtest -t mschap "username" "password" localhost 1812 testing123
it returns:
Received Access-Reject Id 250 from 127.0.0.1:1812 to 127.0.0.1:59482 length 38
MS-CHAP-Error = '\000E=691 R=1'
(0) -: Expected Access-Accept got Access-Reject
Anyway when I try(NTLM String should be correct):
sudo -u radiusd ntlm_auth --username="MyUserName" --request-nt-key
Password:
NT_STATUS_OK: Success (0x0)
When I start radiusd -X I can see errors:
(1) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(1) mschap : --> --challenge=4052dcf90b2dec2c
(1) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(1) mschap : --> --nt-response=617c94e4b57451ef769181355abf9a297ba5bb05d1938891
Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed
(1) ERROR: mschap : External script says: Logon failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP-Response is incorrect
(1) [mschap] = reject
(1) } # Auth-Type MS-CHAP = reject
(1) Failed to authenticate the user
But I was not able to find any solutions. Any idea how to debug this or what could be wrong?
the 'return code' (0xc000006d) indicate that the ntlm_auth script don't authenticate the provided credentials and exit with code 1. So, I would try to 'hard code' the ntlm_auth in the mods-available/mschap with your control items and add item by item. E.g.:
Hope that helps.