ntlm and mysql

Phil Mayers p.mayers at imperial.ac.uk
Fri May 11 13:43:32 CEST 2012

On 11/05/12 11:40, Paolo Barbato wrote:
> On a test deployment I've both mysql and ntlm (AD) configured.

By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?

> If I use EAP no problem to authenticate users on both backend.
> But…in the process to use a Cisco WLC captive portal I've verified that
> only sql works.

WLC captive portal sends "pap" requests. Therefore, the "mschap" module 
doesn't (can't) process them.

You can create a simple "exec" module which calls "ntlm_auth" in 
username/password mode, like so:


exec papntdom {
   wait = yes
   program = "/usr/bin/ntlm_auth 

You then need to arrange for the "papntdom" module to be called for 
users who aren't found in SQL. For example:


authorize {
   if (notfound) {
     # if not found in SQL
     if (User-Password) {
       # and it's a PAP request
       update control {
         Auth-Type = PAPNTDOM

authenticate {
   Auth-Type PAP {
     # handles users in SQL w/ Cleartext-Password
   Auth-Type PAPNTDOM {
     # handles users in Active Directory

Obviously you will need to modify this policy as appropriate, to meet 
your needs and match the other modules you are using.

More information about the Freeradius-Users mailing list