OR-type authentication
Héctor Alberto Ortiz Barrón
hector_aob at hotmail.com
Fri Aug 18 14:03:39 CEST 2006
My radiusd.conf file
...
modules {
mschap certificate_userpass {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
mschap winlogon {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{winlogon:NT-Domain} --username=%{winlogon:User-Name}
--challenge=%{winlogon:Challenge:-00}
--nt-response=%{winlogon:NT-Response:-00}"
}
$INCLUDE ${confdir}/eap.conf
$INCLUDE ${confdir}/sql.conf
...
instantiate {
exec
certificate_userpass
winlogon
}
...
authorize {
redundant {
sql
winlogon
certificate_userpass
}
eap
}
...
authenticate {
Auth-Type MS-CHAP {
redundant {
certificate_userpass
winlogon
}
}
eap
}
...
Using this configuration, I am able to connect to the network using a
certificate on the client computer or providing a user name and password
which are checked against the mysql database, but I can't authenticate
against the AD. If I comment out the part regarding sql from the authorize
section and do like this in the authenticate section (inverse order):
authenticate {
Auth-Type MS-CHAP {
redundant {
winlogon
certificate
}
}
eap
}
I can now authenticate against the AD and using certificates, but not using
the database.
Question:
What changes do I require in order to be able to grant access taking into
account the three methods?
Thanks for your assistance
Cheers
Héctor
More information about the Freeradius-Users
mailing list