Users File co-existing with NTLM-Auth

Alan DeKok aland at
Wed Apr 21 19:25:29 CEST 2010

Nathan McDavit-Van Fleet wrote:
> I have a users file with name and password. I would like Freeradius to check
> if there is a good username/password in the users file before failing using
> ntlm_auth.

  That's not quite it... the "users" file *sets* the "known good"
password in the "authorize" stage of the server.  The "pap" or "chap"
module *checks* the password.

> As I said I currently have a good working copy of Freeradius with ntlm_auth
> configuration. However, when I have ntlm_auth in
> inner-tunnel->"authenticate" section, the username/password in the users
> file no longer works. So if I disable the entry "ntlm_auth" from the
> authenticate the users file works again.

  Again... that is confusing authentication with authorization.

> I know that the username is unique to my users file (it doesn't exist on
> AD). 
> I just need it so when ntlm_auth fails, it checks the known password from
> the users file.
> So is this a case of me having to see if there is a known good password
> before trying ntlm_auth?

  Possibly.  However, I have *no idea* what you've configured.  The
default configuration doesn't have an "ntlm_auth" entry in
sites-available/inner-tunnel, and none of the "howtos" I've written
would result in this behavior.

  Please post a sample of your configuration.  How does it know to run
ntlm_auth in the authenticate method?  Odds are you've configured it to
*force* ntlm_auth authentication, even when there's an entry in the
"users" file.

  The simple answer is "don't do that".

  Alan DeKok.

More information about the Freeradius-Users mailing list