Users File co-existing with NTLM-Auth

Nathan McDavit-Van Fleet nmcdavit at
Wed Apr 21 18:08:23 CEST 2010

I have a users file with name and password. I would like Freeradius to check
if there is a good username/password in the users file before failing using

As I said I currently have a good working copy of Freeradius with ntlm_auth
configuration. However, when I have ntlm_auth in
inner-tunnel->"authenticate" section, the username/password in the users
file no longer works. So if I disable the entry "ntlm_auth" from the
authenticate the users file works again.

I know that the username is unique to my users file (it doesn't exist on

I just need it so when ntlm_auth fails, it checks the known password from
the users file.

So is this a case of me having to see if there is a known good password
before trying ntlm_auth?

Nathan Van Fleet

> -----Original Message-----
> From: freeradius-users-
> at
> [mailto:freeradius-users-
> at] On Behalf Of
> Alan DeKok
> Sent: Wednesday, April 21, 2010 11:46 AM
> To: FreeRadius users mailing list
> Subject: Re: Users File co-existing with NTLM-Auth
> Nathan McDavit-Van Fleet wrote:
> > Can someone maybe describe exactly what's happening internally?
>   The debug output shows exactly what it is doing, and often also shows
> why.
> > From my
> > understanding it should be checking "files" as per the setup in
> > "inner-tunnel" which is what mschap uses. I made sure that "files"
> appeared
> > before mschap in "inner-tunnel" but it has no effect; ntlm_auths
> still work
> > and "files" aren't.
>   See the FAQ for "it doesn't work".
>   You've also confused authorization with authentication.  They're
> different.
> > Past that I'm not sure what I can do. Since files work without
> ntlm_auth, I
> > have no reason to believe I have to insert "files" anyplace new, and
> I'm not
> > certain what it is I should disable. It should just check files
> before
> > ntlm_auth.
>   You've confused two independent things.  The "files" module does
> things like "set the 'known good' password".  Any "ntlm_auth" module
> involves checking the password in the packet against Active Directory.
>   They are *completely* different operations.
>   For Active Directory instructions, see:
> l
> > If I implemented anything using unlang it would be checking files
> before
> > ntlm_auth.
>   It already does that in the default configuration.
>   You are stuck because you are focussed on a particular
> implementation:
> "files before ntlm_auth".   The statement (and question behind it) are
> wrong.  Instead, state what you want to do.  The rest should be
> relatively simple.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list