Users File co-existing with NTLM-Auth

Nathan McDavit-Van Fleet nmcdavit at
Wed Apr 21 19:45:25 CEST 2010

Hi Alan,

I followed the configuration off of

I diff'ed my configuration with the original files. And the only changes
I've made is adding ntlm_auth to authenticate of both "default" and
"inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.

Other than minor configurations to do with LDAP, which I protect with an
"if" statement, it's a regular FR install. Can you tell me what configs you
want to know?

Attached are mschap and inner-tunnel since I think those would be most
relevant. Note that ntlm->AD works, and so do files. It's just that files
don't work while ntlm_auth is enabled.

Nathan Van Fleet

> -----Original Message-----
> From: freeradius-users-
> at
> [mailto:freeradius-users-
> at] On Behalf Of
> Alan DeKok
> Sent: Wednesday, April 21, 2010 1:25 PM
> To: FreeRadius users mailing list
> Subject: Re: Users File co-existing with NTLM-Auth
> Nathan McDavit-Van Fleet wrote:
> > I have a users file with name and password. I would like Freeradius
> to check
> > if there is a good username/password in the users file before failing
> using
> > ntlm_auth.
>   That's not quite it... the "users" file *sets* the "known good"
> password in the "authorize" stage of the server.  The "pap" or "chap"
> module *checks* the password.
> > As I said I currently have a good working copy of Freeradius with
> ntlm_auth
> > configuration. However, when I have ntlm_auth in
> > inner-tunnel->"authenticate" section, the username/password in the
> users
> > file no longer works. So if I disable the entry "ntlm_auth" from the
> > authenticate the users file works again.
>   Again... that is confusing authentication with authorization.
> > I know that the username is unique to my users file (it doesn't exist
> on
> > AD).
> >
> > I just need it so when ntlm_auth fails, it checks the known password
> from
> > the users file.
> >
> > So is this a case of me having to see if there is a known good
> password
> > before trying ntlm_auth?
>   Possibly.  However, I have *no idea* what you've configured.  The
> default configuration doesn't have an "ntlm_auth" entry in
> sites-available/inner-tunnel, and none of the "howtos" I've written
> would result in this behavior.
>   Please post a sample of your configuration.  How does it know to run
> ntlm_auth in the authenticate method?  Odds are you've configured it to
> *force* ntlm_auth authentication, even when there's an entry in the
> "users" file.
>   The simple answer is "don't do that".
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inner-tunnel.txt
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mschap.txt
URL: <>

More information about the Freeradius-Users mailing list