My radiusd.conf file ... modules { mschap certificate_userpass { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } mschap winlogon { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{winlogon:NT-Domain} --username=%{winlogon:User-Name} --challenge=%{winlogon:Challenge:-00} --nt-response=%{winlogon:NT-Response:-00}" } $INCLUDE ${confdir}/eap.conf $INCLUDE ${confdir}/sql.conf ... instantiate { exec certificate_userpass winlogon } ... authorize { redundant { sql winlogon certificate_userpass } eap } ... authenticate { Auth-Type MS-CHAP { redundant { certificate_userpass winlogon } } eap } ... Using this configuration, I am able to connect to the network using a certificate on the client computer or providing a user name and password which are checked against the mysql database, but I can't authenticate against the AD. If I comment out the part regarding sql from the authorize section and do like this in the authenticate section (inverse order): authenticate { Auth-Type MS-CHAP { redundant { winlogon certificate } } eap } I can now authenticate against the AD and using certificates, but not using the database. Question: What changes do I require in order to be able to grant access taking into account the three methods? Thanks for your assistance Cheers Héctor
Héctor Alberto Ortiz Barrón wrote:
My radiusd.conf file ... modules { mschap certificate_userpass { } mschap winlogon { } $INCLUDE ${confdir}/eap.conf $INCLUDE ${confdir}/sql.conf ... instantiate { exec certificate_userpass winlogon } ... authorize { redundant { sql winlogon certificate_userpass } eap } ... authenticate { Auth-Type MS-CHAP { redundant { certificate_userpass winlogon } } eap } ... Using this configuration, I am able to connect to the network using a
That configuration looks seriously, seriously broken. Why have you defined >1 mschap module and called one "certificate_userpass" when the mschap module can only handle ms-chap? Why are you playing odd games with redundant copies of modules in odd places? Why are you putting modules in the instantiate section that don't need it?
certificate on the client computer or providing a user name and password which are checked against the mysql database, but I can't authenticate against the AD. If I comment out the part regarding sql from the
I'm not surprised.
authorize section and do like this in the authenticate section (inverse order): authenticate { Auth-Type MS-CHAP { redundant { winlogon certificate } } eap } I can now authenticate against the AD and using certificates, but not using the database. Question: What changes do I require in order to be able to grant access taking into account the three methods?
Perhaps you could be more specific about what you're trying to do. You cannot authenticate a single user against two sources of info - how would that even work? Are you saying that you have some users in SQL and some users in a domain controller, and want both to work? I take it this is for 802.1x authentication? You almost certainly want something a bit more like this: modules { mschap { # we will override use of this on a per-user basis for users in SQL ntlm_auth = whatever } $INCLUDE ${confdir}/eap.conf $INCLUDE ${confdir}/sql.conf } authorize { preprocess sql mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } ...and for your users in SQL, have this: id | username | attribute | op | value ----+----------+-----------------------+----+---------- 1 | foo | User-Password | := | bar 2 | foo | MS-CHAP-Use-NTLM-Auth | := | 0
participants (2)
-
Héctor Alberto Ortiz Barrón -
Phil Mayers