Users File co-existing with NTLM-Auth

Alan DeKok aland at
Wed Apr 21 17:45:40 CEST 2010

Nathan McDavit-Van Fleet wrote:
> Can someone maybe describe exactly what's happening internally?

  The debug output shows exactly what it is doing, and often also shows why.

> From my
> understanding it should be checking "files" as per the setup in
> "inner-tunnel" which is what mschap uses. I made sure that "files" appeared
> before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work
> and "files" aren't.

  See the FAQ for "it doesn't work".

  You've also confused authorization with authentication.  They're

> Past that I'm not sure what I can do. Since files work without ntlm_auth, I
> have no reason to believe I have to insert "files" anyplace new, and I'm not
> certain what it is I should disable. It should just check files before
> ntlm_auth. 

  You've confused two independent things.  The "files" module does
things like "set the 'known good' password".  Any "ntlm_auth" module
involves checking the password in the packet against Active Directory.

  They are *completely* different operations.

  For Active Directory instructions, see:

> If I implemented anything using unlang it would be checking files before
> ntlm_auth.

  It already does that in the default configuration.

  You are stuck because you are focussed on a particular implementation:
"files before ntlm_auth".   The statement (and question behind it) are
wrong.  Instead, state what you want to do.  The rest should be
relatively simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list