Users File co-existing with NTLM-Auth
Alan DeKok
aland at deployingradius.com
Wed Apr 21 17:45:40 CEST 2010
Nathan McDavit-Van Fleet wrote:
> Can someone maybe describe exactly what's happening internally?
The debug output shows exactly what it is doing, and often also shows why.
> From my
> understanding it should be checking "files" as per the setup in
> "inner-tunnel" which is what mschap uses. I made sure that "files" appeared
> before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work
> and "files" aren't.
See the FAQ for "it doesn't work".
You've also confused authorization with authentication. They're
different.
> Past that I'm not sure what I can do. Since files work without ntlm_auth, I
> have no reason to believe I have to insert "files" anyplace new, and I'm not
> certain what it is I should disable. It should just check files before
> ntlm_auth.
You've confused two independent things. The "files" module does
things like "set the 'known good' password". Any "ntlm_auth" module
involves checking the password in the packet against Active Directory.
They are *completely* different operations.
For Active Directory instructions, see:
http://deployingradius.com/documents/configuration/active_directory.html
> If I implemented anything using unlang it would be checking files before
> ntlm_auth.
It already does that in the default configuration.
You are stuck because you are focussed on a particular implementation:
"files before ntlm_auth". The statement (and question behind it) are
wrong. Instead, state what you want to do. The rest should be
relatively simple.
Alan DeKok.
More information about the Freeradius-Users
mailing list