NLTM_AUTH (PAP) and MS-CHAP2 together?
After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2 as well and that appears to work, but I had to remove the line "DEFAULT Auth-Type := ntlm_auth" from my users file. When I do that MS-CHAP2 works, but PAP doesn't. I will have various radius clients, some of which support MS-CHAP2, but some do not. How can I use both together? My users will be connecting to both services, so defining a specific AUTH-TYPE for each user won't work. -Mike
Mike Diggins wrote:
After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2 as well and that appears to work, but I had to remove the line "DEFAULT Auth-Type := ntlm_auth" from my users file.
Use "=", not ":=". I updated the "howto" on my web site a few weeks ago to reflect this.
When I do that MS-CHAP2 works, but PAP doesn't. I will have various radius clients, some of which support MS-CHAP2, but some do not. How can I use both together? My users will be connecting to both services, so defining a specific AUTH-TYPE for each user won't work.
The above change should work. Alan DeKok.
On Sat, 3 Jan 2009, Alan DeKok wrote:
Mike Diggins wrote:
After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2 as well and that appears to work, but I had to remove the line "DEFAULT Auth-Type := ntlm_auth" from my users file.
Use "=", not ":=". I updated the "howto" on my web site a few weeks ago to reflect this.
When I do that MS-CHAP2 works, but PAP doesn't. I will have various radius clients, some of which support MS-CHAP2, but some do not. How can I use both together? My users will be connecting to both services, so defining a specific AUTH-TYPE for each user won't work.
The above change should work.
Thanks, that worked. I was following your web page too, not sure how I missed that. If my user file looks like this: diggins Auth-Type = ntlm_auth Reply-Message = "Group=NetWorkers", DEFAULT Auth-Type = ntlm_auth How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this: Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = "Group=NetWorkers" Also, my client (a cisco ASA5500 VPN Server) has an authorization check box. When I check it, it sends a Radius request with the username and password both filled in with the username. FreeRadius seems to treat it as another authentication request. What is its purpose? -Mike
Mike Diggins wrote:
How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this:
Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = "Group=NetWorkers"
Use attr_filter to delete it. Or, update the rules to add the Reply-Message in the "post-auth" section.
Also, my client (a cisco ASA5500 VPN Server) has an authorization check box. When I check it, it sends a Radius request with the username and password both filled in with the username. FreeRadius seems to treat it as another authentication request. What is its purpose?
<shrug> Ask Cisco. Alan DeKok.
On Sun, 4 Jan 2009, Alan DeKok wrote:
Mike Diggins wrote:
How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this:
Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = "Group=NetWorkers"
Use attr_filter to delete it.
Or, update the rules to add the Reply-Message in the "post-auth" section.
I'm just getting back to this problem. I'm lost as to how to implement either of these solutions. To summarise, I want to either remove, or just not send, any Reply-Message when the user fails authentication. Where would I put this attr_filter to delete it, and what does the attr_filer look like? I imagine this is documented, but I can't find the relevant bits. -Mike
I'm just getting back to this problem. I'm lost as to how to implement either of these solutions. To summarise, I want to either remove, or just not send, any Reply-Message when the user fails authentication. Where would I put this attr_filter to delete it, and what does the attr_filer look like? I imagine this is documented, but I can't find the relevant bits.
Use attr_filter to delete it.
You don't have to put it - it's already there in Post-Auth-Type REJECT. Just remove Reply-Message from attrs.access_reject file.
Or, update the rules to add the Reply-Message in the "post-auth" section.
Use unlang in Post-Auth-Type REJECT. update reply { Reply-Message := whatever } Ivan Kalik Kalik Informatika ISP
On Tue, 10 Mar 2009, tnt@kalik.net wrote:
I'm just getting back to this problem. I'm lost as to how to implement either of these solutions. To summarise, I want to either remove, or just not send, any Reply-Message when the user fails authentication. Where would I put this attr_filter to delete it, and what does the attr_filer look like? I imagine this is documented, but I can't find the relevant bits.
Use attr_filter to delete it.
You don't have to put it - it's already there in Post-Auth-Type REJECT. Just remove Reply-Message from attrs.access_reject file.
Or, update the rules to add the Reply-Message in the "post-auth" section.
Use unlang in Post-Auth-Type REJECT.
update reply { Reply-Message := whatever }
That was easy ;) Thanks, -Mike
participants (3)
-
Alan DeKok -
Mike Diggins -
tnt@kalik.net