Users File co-existing with NTLM-Auth

Alan DeKok aland at
Wed Apr 21 20:04:00 CEST 2010

Nathan McDavit-Van Fleet wrote:
> I followed the configuration off of

  That's a good start. :)

> I diff'ed my configuration with the original files. And the only changes
> I've made is adding ntlm_auth to authenticate of both "default" and
> "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.

  OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP.  So
are you using MS-CHAP, or PEAP?

> Other than minor configurations to do with LDAP, which I protect with an
> "if" statement, it's a regular FR install. Can you tell me what configs you
> want to know?
> Attached are mschap and inner-tunnel since I think those would be most
> relevant. Note that ntlm->AD works, and so do files. It's just that files
> don't work while ntlm_auth is enabled.

  I'm not sure what you mean by "when ntlm_auth is enabled".  There are
a few places where it could be enabled... which ones?

  My *guess* is that you're using PEAP, and enabling ntlm_auth in
modules/mschap.  If so, then change the "authorize" section by adding
this at the end:

	if (control:Cleartext-Password) {
		update control {
			MS-CHAP-Use-NTLM-Auth = No

  The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments in
the modules/mschap file.

  Alan DeKok.

More information about the Freeradius-Users mailing list