need help authenticating against AD

tnt at kalik.net tnt at kalik.net
Fri Nov 20 19:09:44 CET 2009


> Technically, this is all I need; this seems like a hacked way of doing
> things,

Well, you have to hack things if you don't want freeradius server to
autheticate users but get the result of authentication done by something
else.

> though and I want to understand the operations of the server
> better. I commented out the pap and unix modules in
> ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT
> line from the top of the users file.

You should remove unix (if you are going to use AD passwords and not local
system ones). Put pap back. Instead of forcing things in users file put
this bit of unlang *below* pap in authorize:

if(!control:Auth-Type) {
     update control {
          Auth-Type = "ntlm-auth"
     }
}

If none of the standard modules don't set Auth-Type this will set ntlm_auth.

Ivan Kalik




More information about the Freeradius-Users mailing list