ntlm and mysql
Paolo Barbato
paolo.barbato at igi.cnr.it
Fri May 11 15:03:12 CEST 2012
Phil…really helpful. Thanks !!!
On 11/mag/2012, at 13:43, Phil Mayers wrote:
> On 11/05/12 11:40, Paolo Barbato wrote:
>> On a test deployment I've both mysql and ntlm (AD) configured.
>
> By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?
>
>>
>> If I use EAP no problem to authenticate users on both backend.
>>
>> But…in the process to use a Cisco WLC captive portal I've verified that
>> only sql works.
>
> WLC captive portal sends "pap" requests. Therefore, the "mschap" module doesn't (can't) process them.
>
> You can create a simple "exec" module which calls "ntlm_auth" in username/password mode, like so:
>
> modules/papntdom:
>
> exec papntdom {
> wait = yes
> program = "/usr/bin/ntlm_auth --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}"
> }
>
> You then need to arrange for the "papntdom" module to be called for users who aren't found in SQL. For example:
>
> sites-enables/default:
>
> authorize {
> ...
> sql
> if (notfound) {
> # if not found in SQL
> if (User-Password) {
> # and it's a PAP request
> update control {
> Auth-Type = PAPNTDOM
> }
> }
> }
> ...
> }
>
> authenticate {
> Auth-Type PAP {
> # handles users in SQL w/ Cleartext-Password
> pap
> }
> Auth-Type PAPNTDOM {
> # handles users in Active Directory
> papntdom
> }
> }
>
> Obviously you will need to modify this policy as appropriate, to meet your needs and match the other modules you are using.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list