On 11/30/2009 05:07 PM, freeradius@corwyn.net wrote:
At 03:27 PM 11/30/2009, David Mitchell wrote:
1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group "Group1" irrespective of the supplied password.
Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access.
So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == "Infrastructure" Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15" DEFAULT Auth-Type = ntlm_auth
And now it doesn't work. "Authentication failed".
If I switch the order I get: "Authorization failed"
You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry. Ivan Kalik Ivan Kalik