Alan,
A month ago i configured ntlm authentication
for our internal wifi users. This works fine, but now i also needed to
give access to some external consultants who didn't have an AD account.
I found a solution however by using
the "MS-Chap-Use-NTLM-Auth := 0" variable for those users (but
it would be nice if it would autom. fell through when no AD account was
found)
btw. i'm new to the (for me) more advanced
features/internals of (free)radius, thanks for explaining me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551
freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org
wrote on 12/19/2006 08:24:55 PM:
> Stieven.Struyf@komatsu.eu wrote:
> >
> > All,
> > Does anyone know how i can configure ntlm fall-through, eg. try
to
> > authenticate the user local (via password entry in users file)
>
> No, the "users" file doesn't authenticate anyone.
It just adds a
> "known good" password to the request. Some other module
takes care of
> authenticating the user.
>
> > and if
> > the user isn't found use ntlm-auth(or first ntlm and afterwards
userfile
> > is also ok)?
> > If i comment out the ntlm-auth line in the mschap section of
> > radiusd.conf the user is authenticate local.
>
> See doc/configurable_failover. You should be able to
add a statement
> to the "authenticate" section saying "try FOO, and
if that fails, try BAR".
>
> This is really not a recommended configuration, however. It
is
> difficult to make it work well.
>
> Perhaps you could say *why* you need this, rather than asking
how to
> implement a particular solution.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site
of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html