On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal I've verified that only sql works.
WLC captive portal sends "pap" requests. Therefore, the "mschap" module doesn't (can't) process them. You can create a simple "exec" module which calls "ntlm_auth" in username/password mode, like so: modules/papntdom: exec papntdom { wait = yes program = "/usr/bin/ntlm_auth --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}" } You then need to arrange for the "papntdom" module to be called for users who aren't found in SQL. For example: sites-enables/default: authorize { ... sql if (notfound) { # if not found in SQL if (User-Password) { # and it's a PAP request update control { Auth-Type = PAPNTDOM } } } ... } authenticate { Auth-Type PAP { # handles users in SQL w/ Cleartext-Password pap } Auth-Type PAPNTDOM { # handles users in Active Directory papntdom } } Obviously you will need to modify this policy as appropriate, to meet your needs and match the other modules you are using.