Hello Julio and all,
Thanks' for bringing Radius into Zentyal 4.2!
I was able to install successfully and it seems to work in general, but not in my specific setup.
I want to use Radius to grant WiFi access to registered users and tried with two different AP's so far. One is an older Siemens DSL router and the other is a buffalo router with DD-WRT on board.
Both seem to be using MSCHAP authentication, but they always fail with "Login incorrect". Looking into the radius.log file, all I can see is:
Fri Jun 3 19:01:02 2016 : Auth: Login incorrect (mschap: External script says ): [#username#] (from client ##.##.###.#/32 port 0 via TLS tunnel)
Fri Jun 3 19:01:03 2016 : Auth: Login incorrect: [#username#] (from client ##.##.###.#/32 port 1 cli ##-##-##-##-##-##)
and that's basically it. No more hints.
I also tried using radtest tool and it works successfully, unless I choose MSCHAP as type. So my understanding is that the auth against the AD works in general and there must be an issue with the MSCHAP module.
The module does exist in the modules folder and besides the domain hack being active, the ntlm_auth looks like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
I'm not a big pro on Radius setup, so I hope someone can help me to get this going. We're using the installation for a refugee project.
update:
radtest output for mschap auth: MS-CHAP-Error = "\000E=691 R=1"
update2: checked ntlm_auth and it does work, but only when using sudo. Is this correct? I read some comments about freerad user to be member of the winbindd_priv group, but this is already the case. (winbindd_priv:x:118:freerad)