freeradius@corwyn.net wrote:
Having just followed all of those instructions to build out my production systems, I have a few tweaks to fix all those little things that drive one insane when following someone's instructions because they never tested them.
Thanks. Here's a short review.
Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc
This file is... ?
Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password /etc/raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
That isn't necessary. It should be no more than "max request/s * max_request_time".
Add to the end of the auth listen {..} (to permit groups of clients) clients = disambiguate
Add to the end of the acct listen {..} (to permit groups of clients) clients = disambiguate
I don't understand why this is necessary. All it does is put the clients into a sub-section. There's no additional value or capabilities in doing this.
Since we're not using any of these methods for the Ciscos, in authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap
Add to the end of the authorize{..} section: ntlm_auth
Or to the end of the "authenticate" section?
Note: The secret needs to match the secret set on the respective client. Change the secret to an actual secret
clients disambiguate {
Again, there's no reason for this. Alan DeKok.