At 09:41 PM 11/30/2009, you wrote:
Yes, if that DEFAULT entry doesn't match - it will get ignored. If you want authentication to fail if such conditions are not met you need to add Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth, Auth-Type won't be set and authentication will fail.
so if ./users: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure" Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15", DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "VPN_Users" it should work? I think even with the Auth-Type specified as ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me: radiusd -X gives: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} If I remark out: # Auth-Type MS-CHAP { # mschap # } from my server config, that stops it from being found, but then I lose the password for ntlm_auth I think: Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=rsteeves [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Is that going to be a limitation of using MSCHAP/MSCHAP2? Rick
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html