how to configure Cisco vpn clients againts freeradius

Jevos, Peter Peter.Jevos at
Thu Jul 15 12:51:19 CEST 2010

Jevos, Peter wrote:
> Thank you for your answer, but I don't understand

  The documentation && debug mode is clear.  Do you have a *specific*

> I took it from the mailing list:
> /msg00046.html

  I see.  You'll believe some random post on the list, but not the
documentation, debug mode, or the main author?

> I'd like to authenticate all cisco vpn clients that match the proper
> domain name and password. I already have the ntlm_auth command, but I
> don't know how should look like the Users file

  You were told what the "users" file should look like.  The "Auth-Type"
text goes on the FIRST line of the entry.  See "man users", and the
examples in the default "users" file.  NONE of the examples in the
default "users" file have "Auth-Type" on the second line of an entry.

  Alan DeKok.
Dear Alan, thank you for your answer

Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type

I've changed it as you adviced and I put the Auth-Type on the first
place. However in the man page there is no example how to use Auth-Type
and HUntgorup together.
So my config is:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}

ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:}
--require-membership-of='DOMAIN+vpn users'"

And the user file is:

user    Auth-Type := ntlm_auth
        Service-Type = NAS-Prompt-User,
        cisco-avpair = "shell:priv-lvl=15"

DEFAULT          Auth-Type := ntlm_auth2
                 Huntgroup-Name == "vpn"

Of course, I would prefer direct post how it should looks like, cause
the documentation has lack of examples and the only source is examples
from mailing list.

Please,  does anybody has example how to combine two ntlm_auth ?
Thanks a lot


More information about the Freeradius-Users mailing list