Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet
nmcdavit at alcor.concordia.ca
Wed Apr 21 18:08:23 CEST 2010
I have a users file with name and password. I would like Freeradius to check
if there is a good username/password in the users file before failing using
As I said I currently have a good working copy of Freeradius with ntlm_auth
configuration. However, when I have ntlm_auth in
inner-tunnel->"authenticate" section, the username/password in the users
file no longer works. So if I disable the entry "ntlm_auth" from the
authenticate the users file works again.
I know that the username is unique to my users file (it doesn't exist on
I just need it so when ntlm_auth fails, it checks the known password from
the users file.
So is this a case of me having to see if there is a known good password
before trying ntlm_auth?
Nathan Van Fleet
> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: Wednesday, April 21, 2010 11:46 AM
> To: FreeRadius users mailing list
> Subject: Re: Users File co-existing with NTLM-Auth
> Nathan McDavit-Van Fleet wrote:
> > Can someone maybe describe exactly what's happening internally?
> The debug output shows exactly what it is doing, and often also shows
> > From my
> > understanding it should be checking "files" as per the setup in
> > "inner-tunnel" which is what mschap uses. I made sure that "files"
> > before mschap in "inner-tunnel" but it has no effect; ntlm_auths
> still work
> > and "files" aren't.
> See the FAQ for "it doesn't work".
> You've also confused authorization with authentication. They're
> > Past that I'm not sure what I can do. Since files work without
> ntlm_auth, I
> > have no reason to believe I have to insert "files" anyplace new, and
> I'm not
> > certain what it is I should disable. It should just check files
> > ntlm_auth.
> You've confused two independent things. The "files" module does
> things like "set the 'known good' password". Any "ntlm_auth" module
> involves checking the password in the packet against Active Directory.
> They are *completely* different operations.
> For Active Directory instructions, see:
> > If I implemented anything using unlang it would be checking files
> > ntlm_auth.
> It already does that in the default configuration.
> You are stuck because you are focussed on a particular
> "files before ntlm_auth". The statement (and question behind it) are
> wrong. Instead, state what you want to do. The rest should be
> relatively simple.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users