ntlm_auth and AD authentication

tnt at kalik.net tnt at kalik.net
Mon Nov 23 21:58:30 CET 2009


> At 02:33 PM 11/23/2009, Paul Ryszka wrote:
>>On Mon, 2009-11-23 at 13:35 -0500, freeradius at corwyn.net wrote:
>> > Am I going to have to do something like create different modules
>> > (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
>>
>>You need to create two separate entries in modules having two mschap
>>entries .. sth like :
>>mschap mschap_group1 {
>>         ...
>>         ntlm_auth = "your first ntlm_auth command"
>>}
>>mschap mschap_group2 {
>>         ...
>>         ntlm_auth = "your second ntlm_auth command"
>>}
>>and then have the respective mschaps used in the respective virtual
>>servers for each client.
>
> I currently have (working)
> exec ntlm_auth {
>                  wait = yes
>                  program = "/usr/bin/ntlm_auth ntlm_auth
> --request-nt-key --domain=int.invtitle.com
> --username=%{mschap:User-Name} --password=%{User-Password}
> --require-membership-of=int.example.com+VPN_Users"
>          }
>
> so I'm not sure how that relates to mschap groups? I don't currently
> have a mschap group at all currently in the radiusd.conf file.
>
> Would I just create
> exec ntlm_auth_2 {
>                  wait = yes
>                  program = "/usr/bin/ntlm_auth ntlm_auth
> --request-nt-key --domain=int.invtitle.com
> --username=%{mschap:User-Name} --password=%{User-Password}
> --require-membership-of=int.example.com+Cisco_Users"
>          }
>
> And how do I control which group is used for auth from a specific client?

Are Cisco users sending pap or mschap requests. If it's pap just add after
pap in authorize:

if(!contol:Auth-Type) {
     update control {
          Auth-Type = "ntlm_auth_2"
     }
}

Ivan Kalik




More information about the Freeradius-Users mailing list