Good afternoon,

As I said some days ago in this list, we have configured our freeradius server to use ntlm_auth for autentication following the document:
http://deployingradius.com/documents/configuration/active_directory.html

Everything is working as expected. Thanks!

But I have some doubts about that documentation.
In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file."

I have made some tests and it seems that is not needed to add it, as freeradius is using mschap module to autenticate.

+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap]     expand: %{Stripped-User-Name} -> oscarrdg
[mschap]     expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=oscarrdg
[mschap]  mschap1: b9
[mschap]     expand: %{mschap:Challenge} -> b9415739df3a9c1b
[mschap]     expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=b9415739df3a9c1b
[mschap]     expand: %{mschap:NT-Response} -> 2d41aa6d7e87e086dfc2920f2234b58ca1f6efe2c71505b8
[mschap]     expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=2d41aa6d7e87e086dfc2920f2234b58ca1f6efe2c71505b8
Exec-Program output: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A
Exec-Program-Wait: plaintext: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok

Is there anything else to take into account considering adding that section to the virtual servers configuration or not? Or is it just needed when Auth-Type is set to ntlm_auth manually in order to test the system?

I usually prefer to let config files as similar to the default files as posible.

Thank you so much for your help.

Regards,



Oscar Remírez de Ganuza Satrústegui

Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.es/SI/