allowing multiple Auth-Type in authorize file
Hi, I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins based on LDAP/AD accounts (with group membership in post-auth) and this works fine. I followed the guide on deployingradius.com ( http://deployingradius.com/documents/configuration/active_directory.html), but haven’t implemented the mschap section as I didn’t need it at the time. Now I am running into this need and I was trying to figure out why it wasn’t working only to discover that I left the DEFAULT Auth-Type = ntlm_auth Line in the mods-config/files/authorize file. As expected this breaks my attempts to include mschap. My problem is that this is the only non-commented line in the entire file, so rather than just delete the line I need to enter some other information here to prevent the ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject In the comments in the file it states that multiple DEFAULTs can be used with Fall-Through so I tried this: DEFAULT Auth-Type = ntlm_auth Fall-Through = Yes DEFAULT Auth-Type = mschap But this doesn’t work. What is the best approach for this? I would like to avoid having to name my users here since they are in ldap already and I don’t know if a device will only authenticate using mschap or not (e.g. it will be difficult to split this out in the clients.conf file). My google skills are letting me down on this, some pointers in the right direction would be very much appreciated. Regards, Niels
On Mar 23, 2019, at 10:28 AM, Niels Tomey <niels@ixs.ph> wrote:
I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins based on LDAP/AD accounts (with group membership in post-auth) and this works fine. I followed the guide on deployingradius.com ( http://deployingradius.com/documents/configuration/active_directory.html), but haven’t implemented the mschap section as I didn’t need it at the time.
Ok.
Now I am running into this need and I was trying to figure out why it wasn’t working only to discover that I left the
DEFAULT Auth-Type = ntlm_auth
Line in the mods-config/files/authorize file. As expected this breaks my attempts to include mschap.
Yes. You can set that only if there's no MS-CHAP attributes.
My problem is that this is the only non-commented line in the entire file, so rather than just delete the line I need to enter some other information here to prevent the
ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes.
In the comments in the file it states that multiple DEFAULTs can be used with Fall-Through so I tried this:
DEFAULT Auth-Type = ntlm_auth
Fall-Through = Yes
DEFAULT Auth-Type = mschap
But this doesn’t work.
Yes. Don't set multiple Auth-Types. Plus, the "users" file can't really do complex if / then / else checks. Use "unlang" for that.
What is the best approach for this? I would like to avoid having to name my users here since they are in ldap already and I don’t know if a device will only authenticate using mschap or not (e.g. it will be difficult to split this out in the clients.conf file).
Delete the Auth-Type entries from mods-config/files/authorize . Then edit sites-enabled/default: authorize { ... mschap # sets Auth-Type mschap for MSCHAP stuff... ... # # If it's PAP, use ntlm_auth # if (User-Password) { update control { Auth-Type := ntlm_auth } } pap } That should work. Alan DeKok.
authorize { ... mschap # sets Auth-Type mschap for MSCHAP stuff... ... # # If it's PAP, use ntlm_auth # if (User-Password) { update control { Auth-Type := ntlm_auth } } pap } That makes perfect sense, I noticed while testing stuff that the User-Password remains empty when the incoming request is mschap but the config forces ntlm_auth. Will have to wait until I'm in the office tomorrow but I can see how this works. Thanks for pointing me in the right direction! Niels On Sun, Mar 24, 2019, 02:58 Alan DeKok <aland@deployingradius.com> wrote:
On Mar 23, 2019, at 10:28 AM, Niels Tomey <niels@ixs.ph> wrote:
I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins based on LDAP/AD accounts (with group membership in post-auth) and this works fine. I followed the guide on deployingradius.com ( http://deployingradius.com/documents/configuration/active_directory.html ), but haven’t implemented the mschap section as I didn’t need it at the time.
Ok.
Now I am running into this need and I was trying to figure out why it wasn’t working only to discover that I left the
DEFAULT Auth-Type = ntlm_auth
Line in the mods-config/files/authorize file. As expected this breaks my attempts to include mschap.
Yes. You can set that only if there's no MS-CHAP attributes.
My problem is that this is the only non-commented line in the entire file, so rather than just delete the line I need to enter some other information here to prevent the
ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes.
In the comments in the file it states that multiple DEFAULTs can be used with Fall-Through so I tried this:
DEFAULT Auth-Type = ntlm_auth
Fall-Through = Yes
DEFAULT Auth-Type = mschap
But this doesn’t work.
Yes. Don't set multiple Auth-Types.
Plus, the "users" file can't really do complex if / then / else checks. Use "unlang" for that.
What is the best approach for this? I would like to avoid having to name my users here since they are in ldap already and I don’t know if a device will only authenticate using mschap or not (e.g. it will be difficult to split this out in the clients.conf file).
Delete the Auth-Type entries from mods-config/files/authorize . Then edit sites-enabled/default:
authorize { ... mschap # sets Auth-Type mschap for MSCHAP stuff... ...
# # If it's PAP, use ntlm_auth # if (User-Password) { update control { Auth-Type := ntlm_auth } } pap }
That should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Niels Tomey