Ben Little wrote:
I'm attempting to configure freeradius to be used as a AAA mechanism for a bunch of cisco routers and switches, I have freeradius working correctly with local users however it appears that it is completely ignoring the mschap configuration that I've applied, I'm not sure why...
when attempting to perform a radtest locally I get the following:
The radtest packet doesn't include MS-CHAP. That's why it's not doing MS-CHAP.
It appears that the mschap is returning noop and not even attempting to authenticate the user, here's what I have done so far...
Yes. My web site has instructions on active directory integration. It includes instructions on testing with radtest.
no changes to radiusd.conf (I have read several times that if I touch this file I get smacked like a red headed step child)
Because too many people make edits without taking the time to understand it.
changes made to /modules/mschap
mschap { #use_mppe = no #require_encryption = yes #require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
That won't work (if it's *exactly* like that). You will need to put all of the "ntlm_auth" text on one line, or escape it via "\". See other examples, such as the SQL configurations.
not really any changes to /sites-enabled/default I've tried adding ntlm_auth to the authenticate section but it doesn't seem to like that...here's the output from that. ... I have read the "how to" on deployingradius.com however, this "how to" appears to be written for a much older version of freeradius since many of the attributes mentioned are no longer contained in radiusd.conf,
? It's up to date with the most recent version of the server. Can you describe what's wrong about the document? Alan DeKok.