Good afternoon, As I said some days ago in this list, we have configured our freeradius server to use ntlm_auth for autentication following the document: http://deployingradius.com/documents/configuration/active_directory.html Everything is working as expected. Thanks! But I have some doubts about that documentation. In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file." I have made some tests and it seems that is not needed to add it, as freeradius is using mschap module to autenticate. +- entering group MS-CHAP {...} [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> oscarrdg [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=oscarrdg [mschap] mschap1: b9 [mschap] expand: %{mschap:Challenge} -> b9415739df3a9c1b [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=b9415739df3a9c1b [mschap] expand: %{mschap:NT-Response} -> 2d41aa6d7e87e086dfc2920f2234b58ca1f6efe2c71505b8 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=2d41aa6d7e87e086dfc2920f2234b58ca1f6efe2c71505b8 Exec-Program output: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A Exec-Program-Wait: plaintext: NT_KEY: 312D5366FF0179461F1E13FA4AECD06A Exec-Program: returned: 0 [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok Is there anything else to take into account considering adding that section to the virtual servers configuration or not? Or is it just needed when Auth-Type is set to ntlm_auth manually in order to test the system? I usually prefer to let config files as similar to the default files as posible. Thank you so much for your help. Regards, * Oscar Remírez de Ganuza Satrústegui* Servicios Informáticos (Área de Infraestructuras) Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.es/SI/
Hi,
But I have some doubts about that documentation. In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file."
we dont do that. we just have ntlm_auth as required configured in the mschap module. alan
On 06/03/13 15:31, Óscar Remírez de Ganuza Satrústegui wrote:
Good afternoon,
As I said some days ago in this list, we have configured our freeradius server to use ntlm_auth for autentication following the document: http://deployingradius.com/documents/configuration/active_directory.html
If you read that page carefully, you'll see it's talking about two different modules for two different purposes. Specifically: 1. It first talks about creating an instance of the "exec" module called "ntlm_auth". This processes PAP requests, and is tested by forcing Auth-Type 2. It then talks about throwing that config away (remove the Auth-Type, stop using that module) and now configuring the "mschap" module, by setting the "ntlm_auth" helper. It might be a bit confusing that "ntlm_auth" is used twice there - once as the name of an "exec" instance, once as a config variable for the "mschap" module, but they're different use-cases.
Everything is working as expected. Thanks!
But I have some doubts about that documentation. In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file."
I have made some tests and it seems that is not needed to add it, as
Correct, you don't need it.
Ok, thanks for your help! * Oscar Remírez de Ganuza Satrústegui* Servicios Informáticos (Área de Infraestructuras) Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.es/SI/ On Wed, Mar 6, 2013 at 5:12 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 06/03/13 15:31, Óscar Remírez de Ganuza Satrústegui wrote:
Good afternoon,
As I said some days ago in this list, we have configured our freeradius server to use ntlm_auth for autentication following the document: http://deployingradius.com/**documents/configuration/** active_directory.html<http://deployingradius.com/documents/configuration/active_directory.html>
If you read that page carefully, you'll see it's talking about two different modules for two different purposes.
Specifically:
1. It first talks about creating an instance of the "exec" module called "ntlm_auth". This processes PAP requests, and is tested by forcing Auth-Type
2. It then talks about throwing that config away (remove the Auth-Type, stop using that module) and now configuring the "mschap" module, by setting the "ntlm_auth" helper.
It might be a bit confusing that "ntlm_auth" is used twice there - once as the name of an "exec" instance, once as a config variable for the "mschap" module, but they're different use-cases.
Everything is working as expected. Thanks!
But I have some doubts about that documentation. In section "Configuring FreeRADIUS to use ntlm_auth" is said to "to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-**tunnel file."
I have made some tests and it seems that is not needed to add it, as
Correct, you don't need it.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Phil Mayers -
Óscar Remírez de Ganuza Satrústegui