Users File co-existing with NTLM-Auth

[Nathan McDavit-Van Fleet]

You sir, are awesome Alan DeKok.

Nathan Van Fleet

> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: Wednesday, April 21, 2010 2:04 PM
> To: FreeRadius users mailing list
> Subject: Re: Users File co-existing with NTLM-Auth
> 
> Nathan McDavit-Van Fleet wrote:
> > I followed the configuration off of deployingfreeradius.com
> >
> >
> http://deployingradius.com/documents/configuration/active_directory.htm
> l
> 
>   That's a good start. :)
> 
> > I diff'ed my configuration with the original files. And the only
> changes
> > I've made is adding ntlm_auth to authenticate of both "default" and
> > "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
> 
>   OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP.
> So
> are you using MS-CHAP, or PEAP?
> 
> > Other than minor configurations to do with LDAP, which I protect with
> an
> > "if" statement, it's a regular FR install. Can you tell me what
> configs you
> > want to know?
> >
> > Attached are mschap and inner-tunnel since I think those would be
> most
> > relevant. Note that ntlm->AD works, and so do files. It's just that
> files
> > don't work while ntlm_auth is enabled.
> 
>   I'm not sure what you mean by "when ntlm_auth is enabled".  There are
> a few places where it could be enabled... which ones?
> 
>   My *guess* is that you're using PEAP, and enabling ntlm_auth in
> modules/mschap.  If so, then change the "authorize" section by adding
> this at the end:
> 
> 	if (control:Cleartext-Password) {
> 		update control {
> 			MS-CHAP-Use-NTLM-Auth = No
> 		}
> 	}
> 
>   The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments
> in
> the modules/mschap file.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html