Hi Alan, I followed the configuration off of deployingfreeradius.com http://deployingradius.com/documents/configuration/active_directory.html I diff'ed my configuration with the original files. And the only changes I've made is adding ntlm_auth to authenticate of both "default" and "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap. Other than minor configurations to do with LDAP, which I protect with an "if" statement, it's a regular FR install. Can you tell me what configs you want to know? Attached are mschap and inner-tunnel since I think those would be most relevant. Note that ntlm->AD works, and so do files. It's just that files don't work while ntlm_auth is enabled. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 21, 2010 1:25 PM To: FreeRadius users mailing list Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
I have a users file with name and password. I would like Freeradius to check if there is a good username/password in the users file before failing using ntlm_auth.
That's not quite it... the "users" file *sets* the "known good" password in the "authorize" stage of the server. The "pap" or "chap" module *checks* the password.
As I said I currently have a good working copy of Freeradius with ntlm_auth configuration. However, when I have ntlm_auth in inner-tunnel->"authenticate" section, the username/password in the users file no longer works. So if I disable the entry "ntlm_auth" from the authenticate the users file works again.
Again... that is confusing authentication with authorization.
I know that the username is unique to my users file (it doesn't exist on AD).
I just need it so when ntlm_auth fails, it checks the known password from the users file.
So is this a case of me having to see if there is a known good password before trying ntlm_auth?
Possibly. However, I have *no idea* what you've configured. The default configuration doesn't have an "ntlm_auth" entry in sites-available/inner-tunnel, and none of the "howtos" I've written would result in this behavior.
Please post a sample of your configuration. How does it know to run ntlm_auth in the authenticate method? Odds are you've configured it to *force* ntlm_auth authentication, even when there's an entry in the "users" file.
The simple answer is "don't do that".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html