Rupert had mentioned in this thread that the switch is sending a PAP request and that it isn't being forwarded to the ntlm_auth module because of that, which makes sense I suppose. I am wondering though is there a way to configure the radius server to forward (or proxy) authentication requests to the KDC for authentication? I think what I'm doing is a little outside of the how-to that has been referenced.
..
Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=SKYLIGHT --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } .. rad_recv: Access-Request packet from host <switch> port 1645, id=46, length=84 User-Name = "rtest" User-Password = "<omitted>" NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Calling-Station-Id = "<omitted>" NAS-IP-Address = +- entering group authorize {...} .. [files] users: Matched entry rtest at line 1 ++[files] returns ok .. Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local'
So, what happened to following the howto? Why is user entry for rtest setting Auth-Type Local and not ntlm_auth? There is nothing like that mentioned in the instructions. Debug is also printing a clear warning that that is wrong. Ivan Kalik Kalik Informatika ISP