Users File co-existing with NTLM-Auth
Alan DeKok
aland at deployingradius.com
Wed Apr 21 19:25:29 CEST 2010
Nathan McDavit-Van Fleet wrote:
> I have a users file with name and password. I would like Freeradius to check
> if there is a good username/password in the users file before failing using
> ntlm_auth.
That's not quite it... the "users" file *sets* the "known good"
password in the "authorize" stage of the server. The "pap" or "chap"
module *checks* the password.
> As I said I currently have a good working copy of Freeradius with ntlm_auth
> configuration. However, when I have ntlm_auth in
> inner-tunnel->"authenticate" section, the username/password in the users
> file no longer works. So if I disable the entry "ntlm_auth" from the
> authenticate the users file works again.
Again... that is confusing authentication with authorization.
> I know that the username is unique to my users file (it doesn't exist on
> AD).
>
> I just need it so when ntlm_auth fails, it checks the known password from
> the users file.
>
> So is this a case of me having to see if there is a known good password
> before trying ntlm_auth?
Possibly. However, I have *no idea* what you've configured. The
default configuration doesn't have an "ntlm_auth" entry in
sites-available/inner-tunnel, and none of the "howtos" I've written
would result in this behavior.
Please post a sample of your configuration. How does it know to run
ntlm_auth in the authenticate method? Odds are you've configured it to
*force* ntlm_auth authentication, even when there's an entry in the
"users" file.
The simple answer is "don't do that".
Alan DeKok.
More information about the Freeradius-Users
mailing list