You sir, are awesome Alan DeKok. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 21, 2010 2:04 PM To: FreeRadius users mailing list Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.htm l
That's a good start. :)
I diff'ed my configuration with the original files. And the only changes I've made is adding ntlm_auth to authenticate of both "default" and "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP. So are you using MS-CHAP, or PEAP?
Other than minor configurations to do with LDAP, which I protect with an "if" statement, it's a regular FR install. Can you tell me what configs you want to know?
Attached are mschap and inner-tunnel since I think those would be most relevant. Note that ntlm->AD works, and so do files. It's just that files don't work while ntlm_auth is enabled.
I'm not sure what you mean by "when ntlm_auth is enabled". There are a few places where it could be enabled... which ones?
My *guess* is that you're using PEAP, and enabling ntlm_auth in modules/mschap. If so, then change the "authorize" section by adding this at the end:
if (control:Cleartext-Password) { update control { MS-CHAP-Use-NTLM-Auth = No } }
The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments in the modules/mschap file.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html