NLTM_AUTH (PAP) and MS-CHAP2 together?
Mike Diggins
mike.diggins at McMaster.CA
Sun Jan 4 04:16:38 CET 2009
On Sat, 3 Jan 2009, Alan DeKok wrote:
> Mike Diggins wrote:
>> After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2
>> as well and that appears to work, but I had to remove the line "DEFAULT
>> Auth-Type := ntlm_auth" from my users file.
>
> Use "=", not ":=". I updated the "howto" on my web site a few weeks
> ago to reflect this.
>
>> When I do that MS-CHAP2
>> works, but PAP doesn't. I will have various radius clients, some of
>> which support MS-CHAP2, but some do not. How can I use both together? My
>> users will be connecting to both services, so defining a specific
>> AUTH-TYPE for each user won't work.
>
> The above change should work.
Thanks, that worked. I was following your web page too, not sure how I
missed that. If my user file looks like this:
diggins Auth-Type = ntlm_auth
Reply-Message = "Group=NetWorkers",
DEFAULT Auth-Type = ntlm_auth
How do I stop it from sending the same Reply message when the user enters
a incorrect password. Right now the Reject responds like this:
Sending Access-Reject of id 22 to 192.168.2.2 port 1025
Reply-Message = "Group=NetWorkers"
Also, my client (a cisco ASA5500 VPN Server) has an authorization check
box. When I check it, it sends a Radius request with the username and
password both filled in with the username. FreeRadius seems to treat it as
another authentication request. What is its purpose?
-Mike
More information about the Freeradius-Users
mailing list