NLTM_AUTH (PAP) and MS-CHAP2 together?
mike.diggins at McMaster.CA
Sun Jan 4 04:16:38 CET 2009
On Sat, 3 Jan 2009, Alan DeKok wrote:
> Mike Diggins wrote:
>> After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2
>> as well and that appears to work, but I had to remove the line "DEFAULT
>> Auth-Type := ntlm_auth" from my users file.
> Use "=", not ":=". I updated the "howto" on my web site a few weeks
> ago to reflect this.
>> When I do that MS-CHAP2
>> works, but PAP doesn't. I will have various radius clients, some of
>> which support MS-CHAP2, but some do not. How can I use both together? My
>> users will be connecting to both services, so defining a specific
>> AUTH-TYPE for each user won't work.
> The above change should work.
Thanks, that worked. I was following your web page too, not sure how I
missed that. If my user file looks like this:
diggins Auth-Type = ntlm_auth
Reply-Message = "Group=NetWorkers",
DEFAULT Auth-Type = ntlm_auth
How do I stop it from sending the same Reply message when the user enters
a incorrect password. Right now the Reject responds like this:
Sending Access-Reject of id 22 to 192.168.2.2 port 1025
Reply-Message = "Group=NetWorkers"
Also, my client (a cisco ASA5500 VPN Server) has an authorization check
box. When I check it, it sends a Radius request with the username and
password both filled in with the username. FreeRadius seems to treat it as
another authentication request. What is its purpose?
More information about the Freeradius-Users