mschap auth for multiple realms off different domain ctlrs?
Ross Wheeler
freeradius.contact at albury.net.au
Thu Jul 30 09:22:40 CEST 2009
On Tue, 28 Jul 2009, Ivan Kalik wrote:
Thankyou for the reply and suggestion. I've been interstate and just back
now to try it.
> Create two mschap module instances, mschap_co1 with first ntlm_auth line
> and mschap_co2 with second one.
ok.
> Then create redundancy inside Auth-Type
> MS-CHAP (default server for mschap requests, inner-tunnel for peap):
>
> Auth-Type MS-CHAP {
> if(Realm == "company1.local") {
> mschap_co1
> }
> elsif(Realm == "company2.local") {
> mschap_co2
> }
> else {
> mschap (or reject if you don't want to try users file, sql, ldap
> or other accounts)
> }
> }
When I do this, stop radiusd and re-run with -X, I get:
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
/usr/local/etc/raddb/radiusd.conf[1948]: Line is not in 'attribute = value' format
Errors reading radiusd.conf
I then commented out most to check for stupid operator errors:
# new MSCHAP authentication.
# auths differently depending on the realm
# If none of the defined realms, use standard
Auth-Type MS-CHAP {
# if(Realm == "aae.local") {
mschap_co1
# }
# elseif(Realm == "lla.local") {
mschap_co2
# }
# else {
# mschap
# }
}
This at least got further... but not much. Here's the -X output:
# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object
"rlm_mschap_co1.so" not found, required by "radiusd"
radiusd.conf[1949] Unknown module "mschap_co1".
radiusd.conf[1949] Failed to parse "mschap_co1" entry.
bash-2.05b#
I'm simply not familiar enough with FreeRadius to know where to go with
this - I learned enough to set it up many years ago on my own systems,
it's been rock-solid ever since and I guess I've just forgotten it all.
This particular configuration was done by someone else and is quite
different to my own. Any (further) help appreciated.
More information about the Freeradius-Users
mailing list