Exec and ntlm_auth
tnt at kalik.net
tnt at kalik.net
Thu Nov 26 19:28:50 CET 2009
> I have a server successfully authenticating users using eap-mschapv2 or
> eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system
> to include authorisation/authentication for console and telnet access to
> cisco switches.
>
> For telnet access, I now have:
>
> A new file modules/ntlm_auth which contains,
>
> exec ntlm_auth {
> wait = yes
> program = "/usr/sfw/bin/ntlm_auth --request-nt-key
> --username=%{User-Name} --password=%{User-Password}"
> }
>
> At the end of the users file,
>
> DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type :=
> ntlm_auth
Put this after pap in authorize section of default virtual server instead:
if(!control:Auth-Type) {
update control {
Auth-Type - "ntlm_auth"
}
}
> And at the end of the sites-enabled/default and sites-enabled/inner-tunnel
> authenticate sections, immediately after eap
>
> ntlm_auth
>
> It works though interestingly (for me at least) if I comment out ntlm_auth
> from the inner-tunnel file, the server fails to start with an
> "Unknown value ntlm_auth for attribute Auth-Type" error. I don't
> understand that as I don't want to use this authentication method with
> peap!
That's because users file is common for both (all) virtual servers. If you
use that unlang you don't need an entry in inner-tunnel server.
> Obviously the users entry above only works for a single switch as the IP
> address is specified. Next step is to specify groups of switches.
Just adapt if statement so it fires when you want it to. You can add
Huntgroup-Name oor something like that into it.
More information about the Freeradius-Users
mailing list