Phil…really helpful. Thanks !!! On 11/mag/2012, at 13:43, Phil Mayers wrote:
On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal I've verified that only sql works.
WLC captive portal sends "pap" requests. Therefore, the "mschap" module doesn't (can't) process them.
You can create a simple "exec" module which calls "ntlm_auth" in username/password mode, like so:
modules/papntdom:
exec papntdom { wait = yes program = "/usr/bin/ntlm_auth --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}" }
You then need to arrange for the "papntdom" module to be called for users who aren't found in SQL. For example:
sites-enables/default:
authorize { ... sql if (notfound) { # if not found in SQL if (User-Password) { # and it's a PAP request update control { Auth-Type = PAPNTDOM } } } ... }
authenticate { Auth-Type PAP { # handles users in SQL w/ Cleartext-Password pap } Auth-Type PAPNTDOM { # handles users in Active Directory papntdom } }
Obviously you will need to modify this policy as appropriate, to meet your needs and match the other modules you are using. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------