hi Fajar I did read the replies as well as Alan's page. Being a newbie to FR i actually started with that only. On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <list@fajar.net> wrote:
Did you REALLY read the replies sent to this list? Did you REALLY read Alan's page, http://deployingradius.com/documents/configuration/active_directory.html to the end?
The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. Have tried upgrading the package but its already in the latest version.
If yes, you'd know that: - radtest can send mschap request as well (see 'radtest -h')
The only changes I have done to default config is in the inner tunnel or default file. Attaching the same if you may have a look. I have never blamed Alan that his recipe is flawed.
- Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth', contains detailed instruction on how to make FR works with AD and pap. If you can't get it to work, that means you're doing something wrong. Probably editing some entries you shouldn't, since your ntlm_auth result is OK (which means samba + AD part is working correctly). It's perfectly fine to be creative and edit the config file as you see fit, but ONLY if you know what you're doing. If you're given a recipe, and choose to stray from it, and messed up, don't blame the guy who created the recipe.
The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works.
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly.
Attaching the inner tunnel and default file, please go through the same and point out if something is amiss..... Default File ------------------------------------------------------------------------------ authorize { preprocess # auth_log chap mschap # digest # wimax # IPASS suffix # ntdomain eap { ok = return } # unix # files # sql ntlm_auth # etc_smbpasswd # ldap # checkval expiration logintime pap #if(!control:Auth-Type) { #update control { # Auth-Type = "ntlm_auth" #} #} # Autz-Type Status-Server { # # } } authenticate { Auth-Type NTLM_AUTH { ntlm_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam # unix # Auth-Type LDAP { # ldap # } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } INNER TUNNEL FILE -------------------------------------------------- server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap # unix # IPASS suffix # ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files #sql ntlm_auth # etc_smbpasswd # ldap # daily # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam ntlm_auth # unix # Auth-Type LDAP { # ldap # } eap } -- Regards Dhiraj Gaur