Exec and ntlm_auth

[Leighton Man]

Hi all,

Thanks to everyone for their help. I seem to have generated quite a bit of discussion so I thought I'd summarise where I'm "up to" in case it helps.

I have a server successfully authenticating users using eap-mschapv2 or eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system to include authorisation/authentication for console and telnet access to cisco switches.

For telnet access, I now have:

A new file modules/ntlm_auth which contains,

exec ntlm_auth {
        wait = yes
        program = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{User-Name} --password=%{User-Password}"
}

At the end of the users file,

DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type := ntlm_auth

And at the end of the sites-enabled/default and sites-enabled/inner-tunnel authenticate sections, immediately after eap

        ntlm_auth

It works though interestingly (for me at least) if I comment out ntlm_auth from the inner-tunnel file, the server fails to start with an
"Unknown value ntlm_auth for attribute Auth-Type" error. I don't understand that as I don't want to use this authentication method with peap!

Obviously the users entry above only works for a single switch as the IP address is specified. Next step is to specify groups of switches.

Thanks again,

Leighton



---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.