Good afternoon everybody,

We have configured freeradius to authenticate against Active Directory/Samba using ntlm_auth, following the instructions on:
http://deployingradius.com/documents/configuration/active_directory.html
Everything works as expected.

Right now on our production server we are using LDAP to store the user credentials. We would like to achieve a smooth transition to the new authentication method. So want to configure freeradius to authenticate with ntlm_auth just in the cases when there is not ClearText-Password available, but we do not know how to do it.

Using instructions from modules/mschap:

        # If ntlm_auth is configured below, then the mschap
        # module will call ntlm_auth for every MS-CHAP
        # authentication request.  If there is a cleartext
        # or NT hashed password available, you can set
        # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
        # and the mschap module will do the authentication itself,
        # without calling ntlm_auth.

We were able to bypass the ntlm_auth on some users/groups defining on the users file the control item "MS-CHAP-Use-NTLM-Auth := No".

But is there a way to configure freeradius such that if Cleartext-Password password is available it uses it, and otherwise it uses ntlm_auth to authenticate?

Thank you so much for your help.

Regards,




Oscar Remírez de Ganuza Satrústegui

Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.es/SI/