Users File co-existing with NTLM-Auth

Wed Apr 21 16:22:20 CEST 2010

Can someone maybe describe exactly what's happening internally? From my
understanding it should be checking "files" as per the setup in
"inner-tunnel" which is what mschap uses. I made sure that "files" appeared
before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work
and "files" aren't.

Past that I'm not sure what I can do. Since files work without ntlm_auth, I
have no reason to believe I have to insert "files" anyplace new, and I'm not
certain what it is I should disable. It should just check files before
ntlm_auth. 

If I implemented anything using unlang it would be checking files before
ntlm_auth.

Nathan Van Fleet

> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Nathan McDavit-Van Fleet
> Sent: Wednesday, April 21, 2010 9:22 AM
> To: 'FreeRadius users mailing list'
> Subject: RE: Users File co-existing with NTLM-Auth
> 
> Crap.
> 
> Nathan Van Fleet
> 
> > -----Original Message-----
> > From: freeradius-users-
> > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf
> Of
> > Gary Gatten
> > Sent: Tuesday, April 20, 2010 5:11 PM
> > To: 'FreeRadius users mailing list'
> > Subject: RE: Users File co-existing with NTLM-Auth
> >
> > Yeah, there's a way.  I had / have similar requirements.  I *think*
> > with some unlang and maybe a "fall-through" here or there...  I
> haven't
> > quite figured this out, but I'm pretty sure it can be done.  From
> what
> > I've gathered so far FR allows one to do pretty much anything, it's
> > usually the other hardware / software / protocols that are the
> limiting
> > factors.
> >
> > G
> >
> > PS: LMK the answer when you figure this out! ;)
> >
> > -----Original Message-----
> > From: freeradius-users-
> bounces+ggatten=waddell.com at lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Nathan
> > McDavit-Van Fleet
> > Sent: Tuesday, April 20, 2010 3:25 PM
> > To: 'FreeRadius users mailing list'
> > Subject: Users File co-existing with NTLM-Auth
> >
> > I was able to get ntlm-auth working with AD integration. But
> > unfortunately
> > this stops the existing users in the users' file from being check.
> > Whenever
> > I have the "ntlm_auth =" line configured in modules/mschap, my users
> > file is
> > not check. If I comment out "ntlm_auth" the users file works again.
> >
> > Is there any possibility to getting both the files and the ntlm_auth
> > methods
> > functional inside MSCHAP?
> >
> > -Nathan Van Fleet
> >
> > > -----Original Message-----
> > > From: freeradius-users-
> > > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> > > [mailto:freeradius-users-
> > > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf
> > Of
> > > Jonathan Hutchins
> > > Sent: Tuesday, April 20, 2010 11:42 AM
> > > To: Thibault Le Meur
> > > Cc: FreeRadius users mailing list
> > > Subject: Re: PopTop
> > >
> > > On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
> > >
> > > > Yes it is true, but this part seems easy once you've understood
> how
> > > to
> > > > migrate from FR1 to FR2 which is required anyway to do a proper
> > > > migration.
> > >
> > > Is there a doc that specifically addresses migration?
> > >
> > > > In fact this would be only a 3 lines changes in the article, so
> > this
> > > > is easy to fix as most of this HowTo is related to setting other
> > > > components that FR ;-)
> > >
> > > Can I help get those changes made, perhaps by testing the howto?
> The
> > > section
> > > on the Dictionary would seem to be unnnecessary for most packaged
> > > distributions.
> > >
> > > > >  I moved from a rather ancient Gentoo server that I believe was
> > > using an
> > > > > 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8
> > > backport,
> > > > > and I can't get it to parse DOMAIN//user properly - it ignores
> > the
> > > > > separator and comes up with a null "realm".  Curiously, it
> later
> > > displays
> > > > > the username as DOMAIN/name.
> > > >
> > > > I can't help here, because I'm not using realm for PopTop
> > > authentication.
> > >
> > > I wasn't intending to either, I was following your PopTop doc
> > exactly.
> > >
> > > > However I would check you modules/realm file and the ntdomain
> realm
> > > > definition.  Then I would double check that the ntodimain
> instance
> > is
> > > > enabled in your pre-acct and authorize section.
> > >
> > > Searching for where to enable this now.  I wonder if there is any
> > > different
> > > handling for the "\\" vs "\".
> > >
> > > Since I don't have a working config yet, I would be happy to strip
> it
> > > back to
> > > defaults and test your howto.
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html