"Ken George" <Ken.George@mi-services.com> wrote:
Also, my final goal is to authenticate clients to a Cisco Aironet 1200 via our Windows 2003 Active Directory usernames and passwords is ntlm_auth the correct method to use?
Yes.
Below are the ntlm_auth section of radiusd.conf and the radtest string used and the debug output from the other window.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
That looks fine.
radtest "test ops" xxxxxx localhost 0 testing123
That doesn't use MSCHAPv2, so the MSCHAP module won't run, and the ntlm_auth program won't run. If you want to pass *clear-text* passwords to ntlm_auth, you've got to do something different. The command-line example you posted works, because you're giving it a clear-text password. The mschap configuration you posted uses mschap, and doesn't send a clear-text password. So... the mschap configuration you posted won't work with clear-text passwords. The debug output you posted shows this. You use "radtest" to send a clear-text password, and the mschap module doesn't run. This shouldn't be a surprise. What you need to do is to configure a *different* ntlm_auth, only for clear-text passwords. The simplest way to do this is to use the "exec" module: modules { ... exec win_domain { wait = yes input_pairs = request output_pairs = reply program = "ntlm_auth --username=\"%{User-Name}\" --password=\"%{User-Password}\" --domain=usmisgne" } ... } Now list "win_domain" in the "authenticate" section, and add the following entry to the "users" file: DEFAULT Auth-Type = win_domain This will use "win_domain" for authentication UNLESS the mschap module has previously found MSCHAP in the request. Alan DeKok.