separating Users?
freeradius at corwyn.net
freeradius at corwyn.net
Tue Dec 1 05:03:20 CET 2009
At 09:41 PM 11/30/2009, you wrote:
>Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
>want authentication to fail if such conditions are not met you need to add
>Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
>Auth-Type won't be set and authentication will fail.
so if ./users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"
Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15",
DEFAULT Huntgroup-Name == VPN_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == "VPN_Users"
it should work? I think even with the Auth-Type specified as
ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me:
radiusd -X gives:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
If I remark out:
# Auth-Type MS-CHAP {
# mschap
# }
from my server config, that stops it from being found, but then I
lose the password for ntlm_auth I think:
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=rsteeves
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Is that going to be a limitation of using MSCHAP/MSCHAP2?
Rick
>Ivan Kalik
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list