separating Users?

freeradius at corwyn.net freeradius at corwyn.net
Tue Dec 1 05:03:20 CET 2009


At 09:41 PM 11/30/2009, you wrote:
>Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
>want authentication to fail if such conditions are not met you need to add
>Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
>Auth-Type won't be set and authentication will fail.

so if ./users:
DEFAULT         Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"
                 Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15",
DEFAULT         Huntgroup-Name == VPN_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "VPN_Users"

it should work?  I think even with the Auth-Type specified as 
ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me:

radiusd -X gives:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}

If I remark out:
#       Auth-Type MS-CHAP {
#               mschap
#       }
from my server config, that stops it from being found, but then I 
lose the password for ntlm_auth I think:

Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=rsteeves
[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Is that going to be a limitation of using MSCHAP/MSCHAP2?

Rick


>Ivan Kalik
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list