how to configure Cisco vpn clients againts freeradius

Alan DeKok aland at
Thu Jul 15 16:59:18 CEST 2010

Jevos, Peter wrote:
> So now, I have created second ntlm_auth2 file in the modules directory,
> with this command:


> I also added new authentication method ntlm_auth2 into
> sites-available/inner-tunnel and default


> I tested with "radtest USER PASSWORD localhost 0 testing123" and the
> test passed : )

  Very good!

> So I have created another line in the modules/mschap that looks like:
> ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00} --require-membership-of=
> S-1-5-21-853024553-185696384-3473746203-512"

  Err... no.  That won't work.

> But the vpn cisco clients are authenticated through domainname\username
> and password

  Then you don't need to edit the mschap configuration.

> Is this ntlm_auth2 in the mschap ok ? or should I remove
> --domain=%{%{mschap:NT-Domain}:} ?

  Delete the "ntlm_auth2" line from the mschap config.  It does nothing.

> I also changed users to :
> DEFAULT          Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn"

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list