mschap auth for multiple realms off different domain ctlrs?

Ross Wheeler freeradius.contact at albury.net.au
Thu Jul 30 09:22:40 CEST 2009



On Tue, 28 Jul 2009, Ivan Kalik wrote:

Thankyou for the reply and suggestion. I've been interstate and just back 
now to try it.


> Create two mschap module instances, mschap_co1 with first ntlm_auth line
> and mschap_co2 with second one.

ok.

> Then create redundancy inside Auth-Type
> MS-CHAP (default server for mschap requests, inner-tunnel for peap):
>
> Auth-Type MS-CHAP {
>     if(Realm == "company1.local") {
>          mschap_co1
>     }
>     elsif(Realm == "company2.local") {
>          mschap_co2
>     }
>     else {
>          mschap (or reject if you don't want to try users file, sql, ldap
> or other accounts)
>     }
> }

When I do this, stop radiusd and re-run with -X, I get:

     reread_config:  reading radiusd.conf
     Config:   including file: /usr/local/etc/raddb/clients.conf
     /usr/local/etc/raddb/radiusd.conf[1948]: Line is not in 'attribute = value' format
     Errors reading radiusd.conf

I then commented out most to check for stupid operator errors:


         # new MSCHAP authentication.
         # auths differently depending on the realm
         # If none of the defined realms, use standard
         Auth-Type MS-CHAP {
#               if(Realm == "aae.local") {
                         mschap_co1
#               }
#               elseif(Realm == "lla.local") {
                         mschap_co2
#               }
#               else {
#                       mschap
#               }
         }


This at least got further... but not much. Here's the -X output:


# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
  main: prefix = "/usr/local"
  main: localstatedir = "/var"
  main: logdir = "/var/log"
  main: libdir = "/usr/local/lib"
  main: radacctdir = "/var/log/radacct"
  main: hostname_lookups = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius.log"
  main: log_auth = no
  main: log_auth_badpass = yes
  main: log_auth_goodpass = yes
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: bind_address = 127.0.0.1 IP address [127.0.0.1]
  main: user = "(null)"
  main: group = "(null)"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: checkrad = "/usr/local/sbin/checkrad"
  main: proxy_requests = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
  exec: wait = yes
  exec: program = "(null)"
  exec: input_pairs = "request"
  exec: output_pairs = "(null)"
  exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
  pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object 
"rlm_mschap_co1.so" not found, required by "radiusd"
radiusd.conf[1949] Unknown module "mschap_co1".
radiusd.conf[1949] Failed to parse "mschap_co1" entry.
bash-2.05b#




I'm simply not familiar enough with FreeRadius to know where to go with 
this - I learned enough to set it up many years ago on my own systems, 
it's been rock-solid ever since and I guess I've just forgotten it all. 
This particular configuration was done by someone else and is quite 
different to my own. Any (further) help appreciated.



More information about the Freeradius-Users mailing list