NLTM_AUTH (PAP) and MS-CHAP2 together?

Mike Diggins mike.diggins at McMaster.CA
Sun Jan 4 04:16:38 CET 2009

On Sat, 3 Jan 2009, Alan DeKok wrote:

> Mike Diggins wrote:
>> After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2
>> as well and that appears to work, but I had to remove the line "DEFAULT
>> Auth-Type := ntlm_auth" from my users file.
>  Use "=", not ":=". I updated the "howto" on my web site a few weeks
> ago to reflect this.
>> When I do that MS-CHAP2
>> works, but PAP doesn't. I will have various radius clients, some of
>> which support MS-CHAP2, but some do not. How can I use both together? My
>> users will be connecting to both services, so defining a specific
>> AUTH-TYPE for each user won't work.
>  The above change should work.

Thanks, that worked. I was following your web page too, not sure how I 
missed that. If my user file looks like this:

 	diggins         Auth-Type = ntlm_auth
 	                Reply-Message =  "Group=NetWorkers",

 	DEFAULT         Auth-Type = ntlm_auth

How do I stop it from sending the same Reply message when the user enters 
a incorrect password. Right now the Reject responds like this:

Sending Access-Reject of id 22 to port 1025
         Reply-Message = "Group=NetWorkers"

Also, my client (a cisco ASA5500 VPN Server) has an authorization check 
box. When I check it, it sends a Radius request with the username and 
password both filled in with the username. FreeRadius seems to treat it as 
another authentication request. What is its purpose?


More information about the Freeradius-Users mailing list