All, Does anyone know how i can configure ntlm fall-through, eg. try to authenticate the user local (via password entry in users file) and if the user isn't found use ntlm-auth(or first ntlm and afterwards userfile is also ok)? If i comment out the ntlm-auth line in the mschap section of radiusd.conf the user is authenticate local. I searched the archives and found the same question below, but no answer to the problem. Anyone who can help me with this? http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-August/04669... Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
Stieven.Struyf@komatsu.eu wrote:
All, Does anyone know how i can configure ntlm fall-through, eg. try to authenticate the user local (via password entry in users file)
No, the "users" file doesn't authenticate anyone. It just adds a "known good" password to the request. Some other module takes care of authenticating the user.
and if the user isn't found use ntlm-auth(or first ntlm and afterwards userfile is also ok)? If i comment out the ntlm-auth line in the mschap section of radiusd.conf the user is authenticate local.
See doc/configurable_failover. You should be able to add a statement to the "authenticate" section saying "try FOO, and if that fails, try BAR". This is really not a recommended configuration, however. It is difficult to make it work well. Perhaps you could say *why* you need this, rather than asking how to implement a particular solution. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, A month ago i configured ntlm authentication for our internal wifi users. This works fine, but now i also needed to give access to some external consultants who didn't have an AD account. I found a solution however by using the "MS-Chap-Use-NTLM-Auth := 0" variable for those users (but it would be nice if it would autom. fell through when no AD account was found) btw. i'm new to the (for me) more advanced features/internals of (free)radius, thanks for explaining me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 12/19/2006 08:24:55 PM:
Stieven.Struyf@komatsu.eu wrote:
All, Does anyone know how i can configure ntlm fall-through, eg. try to authenticate the user local (via password entry in users file)
No, the "users" file doesn't authenticate anyone. It just adds a "known good" password to the request. Some other module takes care of authenticating the user.
and if the user isn't found use ntlm-auth(or first ntlm and afterwards userfile is also ok)? If i comment out the ntlm-auth line in the mschap section of radiusd.conf the user is authenticate local.
See doc/configurable_failover. You should be able to add a statement to the "authenticate" section saying "try FOO, and if that fails, try BAR".
This is really not a recommended configuration, however. It is difficult to make it work well.
Perhaps you could say *why* you need this, rather than asking how to implement a particular solution.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Stieven.Struyf@komatsu.eu