Beating a dead horse, or freeradius 2.1.1 and active directory

tnt at tnt at
Thu Dec 4 03:10:09 CET 2008

>Rupert had mentioned in this thread that the switch is sending a PAP request and that it isn't being forwarded to the ntlm_auth module because of that, which makes sense I suppose.  I am wondering though is there a way to configure the radius server to forward (or proxy) authentication requests to the KDC for authentication?  I think what I'm doing is a little outside of the how-to that has been referenced.
> Module: Instantiating ntlm_auth
>  exec ntlm_auth {
>	wait = yes
>	program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=SKYLIGHT --username=%{mschap:User-Name} --password=%{User-Password}"
>	input_pairs = "request"
>	shell_escape = yes
>  }
>rad_recv: Access-Request packet from host <switch> port 1645, id=46, length=84
>	User-Name = "rtest"
>	User-Password = "<omitted>"
>	NAS-Port = 2
>	NAS-Port-Id = "tty2"
>	NAS-Port-Type = Virtual
>	Calling-Station-Id = "<omitted>"
>	NAS-IP-Address = +- entering group authorize {...}
>[files] users: Matched entry rtest at line 1
>++[files] returns ok
>Found Auth-Type = Local
>WARNING: Please update your configuration, and remove 'Auth-Type = Local'

So, what happened to following the howto? Why is user entry for rtest
setting Auth-Type Local and not ntlm_auth? There is nothing like that
mentioned in the instructions. Debug is also printing a clear warning
that that is wrong.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list