hanks, Working version of Tttls/pap and ldap module. In /etc/freeradius/mods-enabled/eap eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem ca_file = /etc/freeradius/certs/ca-certificates.crt dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "HIGH" cipher_server_preference = no ecdh_curve = "prime256v1" check_crl = no } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" } } But group access doesn't work. In /etc/freeradius/users LDAP-Group == "VPN_GROUP" DEFAULT Group != "VPN_GROUP", Auth-Type := Reject /etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name Failed reading /etc/freeradius/mods-config/files/authorize /etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files" Is it possible to configure group access in this configuration ?
19 мая 2020 г., в 16:04, Alan DeKok <aland@deployingradius.com> написал(а):
On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
That's a little confused.
Doing MS-CHAP to AD requires ntlm_auth.
If you have PAP, you can do normal LDAP bind to AD.
If you're not using AD, then FreeRADIUS supports all standard encryption types. But these only work for PAP. NT hashed passwords also work for MS-CHAP.
Alan DeKok.