Authenticate via AD and via local "users" file

Alan DeKok aland at deployingradius.com
Wed Feb 28 19:02:22 CET 2018


On Feb 28, 2018, at 12:53 PM, DUPALUT, Benjamin <benjamin.dupalut at esiee.fr> wrote:
> I'm using a pfsense server as captive portal to authenticate users on my
> WiFi network. The captive portal is set to interrogate my freeradius server.
> 
> My freeradius server can already authenticate users via my AD using
> winbind. I also need local account (via "users" file) to create some
> temporary "WiFi" account for guests.

  How do you decide which one to use?

> My problem is that it seems that when freeradius receive an mschap request,
> it only interrogate the AD and do not check the local "users" file :

  Because you configured it to do that...

> *Radtest output :*

  Don't post that.  Read this:  http://wiki.freeradius.org/list-help

> *freeradius -X output :*

  With lots and lots of blank space, and debug output which is massively reformatted and unreadable.

  The short answer is that if you set a "known good" password for the user, and tell it to *not* use NTLM-Auth:

bob	Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := no

 Then the MS-CHAP module will do that.

  This is documented in the comments in raddb/mods-available/mschap.  Please read that for further information.

  Alan DeKok.




More information about the Freeradius-Users mailing list