Jonathan van der Wat wrote:
Alan,
I've been searching the lists for most of the day but haven't been able to come right. What I've noticed recently is that if I add the user on the test box with no password, and then try to sign on via ssh I see the following in the radiusd debug output:
User-Password = "/*mypassword*/"
That's how PAM works. You need to have users in /etc/passwd for UID, GID, etc. PAM does password checking *only*.
However, the user is still not authenticated via the FreeRADIUS server.
Well... go read the debug output to see why.
If I explicitly go and add that user to the */etc/raddb/users* file, then authentication works via PAP. How do I tell FreeRADIUS to use MS-CHAP for all users?
You don't. The authentication method (PAP, CHAP, MS-CHAP) is chosen by the client. In this case, the pam_radius_auth module. And the "active directory" pages on my web set tells you how to authenticate to AD using PAP. This is documented. Alan DeKok.