Yet another multiple SSID setup question
Fajar A. Nugraha
list at fajar.net
Fri Jul 15 05:30:09 CEST 2011
On Fri, Jul 15, 2011 at 9:28 AM, Nick Kartsioukas
<lists.freeradius at change.nightwind.net> wrote:
> The LDAP queries are against the AD server, btw. I forgot to paste the
> mschap module config, but that's pretty basic...
>
> mschap mschap_cuesta {
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> }
Ah, OK.
I think this will not work
authenticate {
Auth-Type CUESTA {
eap_cuesta
mschap_cuesta
}
}
... as it means "do eap, and AFTER THAT do mschap". That roughly means
mschap will be processed if eap does not return handled/success. What
you want is "do eap, and inside eap do mschap".
So try changing it to
authenticate {
Auth-Type CUESTA {
eap_cuesta
}
}
and on the eap section, add the lines pointing to an inner tunnel,
something like this
eap eap_cuesta {
...
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel-cuesta"
}
...
}
then create a NEW config file to handle the virtual server
inner-tunnel-cuesta (use sites-available/inner-tunnel as a base). On
this virtual server you need to configure mschap and ntlm_auth.
--
Fajar
More information about the Freeradius-Users
mailing list