Users File co-existing with NTLM-Auth
Alan DeKok
aland at deployingradius.com
Wed Apr 21 20:04:00 CEST 2010
Nathan McDavit-Van Fleet wrote:
> I followed the configuration off of deployingfreeradius.com
>
> http://deployingradius.com/documents/configuration/active_directory.html
That's a good start. :)
> I diff'ed my configuration with the original files. And the only changes
> I've made is adding ntlm_auth to authenticate of both "default" and
> "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP. So
are you using MS-CHAP, or PEAP?
> Other than minor configurations to do with LDAP, which I protect with an
> "if" statement, it's a regular FR install. Can you tell me what configs you
> want to know?
>
> Attached are mschap and inner-tunnel since I think those would be most
> relevant. Note that ntlm->AD works, and so do files. It's just that files
> don't work while ntlm_auth is enabled.
I'm not sure what you mean by "when ntlm_auth is enabled". There are
a few places where it could be enabled... which ones?
My *guess* is that you're using PEAP, and enabling ntlm_auth in
modules/mschap. If so, then change the "authorize" section by adding
this at the end:
if (control:Cleartext-Password) {
update control {
MS-CHAP-Use-NTLM-Auth = No
}
}
The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments in
the modules/mschap file.
Alan DeKok.
More information about the Freeradius-Users
mailing list