Exec and ntlm_auth
Leighton Man
l.j.man at hud.ac.uk
Thu Nov 26 11:02:41 CET 2009
Hi all,
Thanks to everyone for their help. I seem to have generated quite a bit of discussion so I thought I'd summarise where I'm "up to" in case it helps.
I have a server successfully authenticating users using eap-mschapv2 or eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system to include authorisation/authentication for console and telnet access to cisco switches.
For telnet access, I now have:
A new file modules/ntlm_auth which contains,
exec ntlm_auth {
wait = yes
program = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{User-Name} --password=%{User-Password}"
}
At the end of the users file,
DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type := ntlm_auth
And at the end of the sites-enabled/default and sites-enabled/inner-tunnel authenticate sections, immediately after eap
ntlm_auth
It works though interestingly (for me at least) if I comment out ntlm_auth from the inner-tunnel file, the server fails to start with an
"Unknown value ntlm_auth for attribute Auth-Type" error. I don't understand that as I don't want to use this authentication method with peap!
Obviously the users entry above only works for a single switch as the IP address is specified. Next step is to specify groups of switches.
Thanks again,
Leighton
---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
More information about the Freeradius-Users
mailing list