Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet
nmcdavit at alcor.concordia.ca
Wed Apr 21 19:45:25 CEST 2010
Hi Alan,
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.html
I diff'ed my configuration with the original files. And the only changes
I've made is adding ntlm_auth to authenticate of both "default" and
"inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
Other than minor configurations to do with LDAP, which I protect with an
"if" statement, it's a regular FR install. Can you tell me what configs you
want to know?
Attached are mschap and inner-tunnel since I think those would be most
relevant. Note that ntlm->AD works, and so do files. It's just that files
don't work while ntlm_auth is enabled.
Nathan Van Fleet
> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: Wednesday, April 21, 2010 1:25 PM
> To: FreeRadius users mailing list
> Subject: Re: Users File co-existing with NTLM-Auth
>
> Nathan McDavit-Van Fleet wrote:
> > I have a users file with name and password. I would like Freeradius
> to check
> > if there is a good username/password in the users file before failing
> using
> > ntlm_auth.
>
> That's not quite it... the "users" file *sets* the "known good"
> password in the "authorize" stage of the server. The "pap" or "chap"
> module *checks* the password.
>
> > As I said I currently have a good working copy of Freeradius with
> ntlm_auth
> > configuration. However, when I have ntlm_auth in
> > inner-tunnel->"authenticate" section, the username/password in the
> users
> > file no longer works. So if I disable the entry "ntlm_auth" from the
> > authenticate the users file works again.
>
> Again... that is confusing authentication with authorization.
>
> > I know that the username is unique to my users file (it doesn't exist
> on
> > AD).
> >
> > I just need it so when ntlm_auth fails, it checks the known password
> from
> > the users file.
> >
> > So is this a case of me having to see if there is a known good
> password
> > before trying ntlm_auth?
>
> Possibly. However, I have *no idea* what you've configured. The
> default configuration doesn't have an "ntlm_auth" entry in
> sites-available/inner-tunnel, and none of the "howtos" I've written
> would result in this behavior.
>
> Please post a sample of your configuration. How does it know to run
> ntlm_auth in the authenticate method? Odds are you've configured it to
> *force* ntlm_auth authentication, even when there's an entry in the
> "users" file.
>
> The simple answer is "don't do that".
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inner-tunnel.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100421/a85503fe/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mschap.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100421/a85503fe/attachment-0001.txt>
More information about the Freeradius-Users
mailing list