cisco vpn authentication, freeradius and best practices

tnt at kalik.net tnt at kalik.net
Sun Oct 19 20:23:17 CEST 2008


>The purpose of the rule is to handle incoming requests from a cisco pix for
>VPN authentication. It is supposed to validate it using ntlm_auth. There are
>two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one
>is for ntlm_auth_plaintext.
>I tested this rule with radtest (Making the necessary modifications  and it
>worked fine.
>
>DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type
>:= ntlm_auth_plaintext
>DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type
>:= Reject
>
>Is it a good idea to force the auth-type in the users file?

No. Forcing auth type should be avoided as a rule. But in this case it
can't be avoided. But the entry is wrong. If you get mschap request
this entry will force auth type to plaintext authentication and
authentication will fail. Change operator := to =. That way, if auth
type mschap was set already (mschap is listed before files in authorize)
it won't be changed.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list