Beating a dead horse, or freeradius 2.1.1 and active directory

Ben Little BLittle at
Thu Dec 4 03:21:23 CET 2008

The how to lists the user account in bold indicating it should be modified to fit my environment.  I created a user named rtest in active directory and am using that account for testing I do not think it will matter if I create a user called user to test with but I can.

There is an entry in the users file that states (according to the how to this can be used for testing)
rtest   Auth-type := "ntlm_auth"

(Btw this fails unless ntlm_auth is inside quotes which is not shown in the how to)

Which doesn't work using radtest.

As far as the "warning" where exactly in the how to does it say to disable local auth because I sure didn't see it.  This is enabled in the default install apparently because I sure didn't enable it.

I appreciate the reply...

Sent from Blackberry handheld device

----- Original Message -----
From: at < at>
To: FreeRadius users mailing list <freeradius-users at>
Sent: Wed Dec 03 18:10:09 2008
Subject: RE: Beating a dead horse, or freeradius 2.1.1 and active directory

>Rupert had mentioned in this thread that the switch is sending a PAP request and that it isn't being forwarded to the ntlm_auth module because of that, which makes sense I suppose.  I am wondering though is there a way to configure the radius server to forward (or proxy) authentication requests to the KDC for authentication?  I think what I'm doing is a little outside of the how-to that has been referenced.
> Module: Instantiating ntlm_auth
>  exec ntlm_auth {
>	wait = yes
>	program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=SKYLIGHT --username=%{mschap:User-Name} --password=%{User-Password}"
>	input_pairs = "request"
>	shell_escape = yes
>  }
>rad_recv: Access-Request packet from host <switch> port 1645, id=46, length=84
>	User-Name = "rtest"
>	User-Password = "<omitted>"
>	NAS-Port = 2
>	NAS-Port-Id = "tty2"
>	NAS-Port-Type = Virtual
>	Calling-Station-Id = "<omitted>"
>	NAS-IP-Address = +- entering group authorize {...}
>[files] users: Matched entry rtest at line 1
>++[files] returns ok
>Found Auth-Type = Local
>WARNING: Please update your configuration, and remove 'Auth-Type = Local'

So, what happened to following the howto? Why is user entry for rtest
setting Auth-Type Local and not ntlm_auth? There is nothing like that
mentioned in the instructions. Debug is also printing a clear warning
that that is wrong.

Ivan Kalik
Kalik Informatika ISP

List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list