Need both Local (MySQL database) and Active directory authentications.
Hi all, I have set up Freeradius (v.2.1.10) to do password authentication from MySQL database and it works fine but now I need to make some users be able to authenticate against Active directory accounts. I’ve setup winbind to authenticate windows accounts and it works but as a result freeradius lost ability to authenticate by local database. So if I comment the line: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" in /modules/mschap file then local database authentication works fine but Active directory doesn’t. With uncommented ntlm_auth Active directory works but local database doesn’t. The WiFi access points that queries the radius using WPA-Enterprise, so passwords encrypted in EAP messages and so there is no another way to validate the passwords, it have to go through mschap module anyway. Is there a way to tell mschap to use ntlm_auth depending on field in MySQL table and use the internal mechanisms if plain text passwords available in the MySQL table?
ffgch2 wrote:
I have set up Freeradius (v.2.1.10)
Upgrade to v2.2.0.
to do password authentication from MySQL database and it works fine but now I need to make some users be able to authenticate against Active directory accounts. I’ve setup winbind to authenticate windows accounts and it works but as a result freeradius lost ability to authenticate by local database.
You need to figure out when users will be checked against SQL, and when they will be checked against AD. Right now, you've configured FreeRADIUS to use both. Which isn't what you want.
So if I comment the line:
Don't randomly change things. It won't work.
Is there a way to tell mschap to use ntlm_auth depending on field in MySQL table and use the internal mechanisms if plain text passwords available in the MySQL table?
No. There are better ways. See raddb/modules/mschap. You can control when ntlm_auth is called. See "man unlang". You can configure policies. Read the debug output. What you want is this: authorize { ... sql if (ok) { update control { "MS-CHAP-Use-NTLM-Auth := No } } ... } Alan DeKok.
participants (2)
-
Alan DeKok -
ffgch2