ntlm_auth not respected
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 22 00:05:56 CEST 2013
On 21/08/2013 13:55, Chris Parker wrote:
> Thank you Phil! That resolved my first steps, and I figured there was
> something like that. I have poured over deployingfreeradius.com, but
> for the life of me I could not find anything of assistance for my set
> up.
Yeah... to be honest, I think I've just confused matters.
> I have enabled the ntlm_auth line in modules/mschap but no password
> is sent to ntlm_auth to be checked. So the fact that it's failing
> makes sense, since there's no password being read in and thus it
> fails authorize. So this is just escaping me on how to get the
> password into ntlm_auth via MSCHAP. On top of that, when my access
> point succeeds against the users file, I suspect it's doing EAP but
> the logs never say "I have detected EAP, setting EAP"
I see a lot of confusion in that paragraph.
In brief: RADIUS supports multiple authentication algorithms, and the
client chooses the algorithm.
"modules/ntlm_auth" can only handle PAP, which sends a username & password.
"modules/mschap" can handle MSCHAP, which sends a challenge/response
based on the password
"eap" handles EAP, and then calls other modules to handle what runs
inside the EAP tunnel.
You're getting confused because you seem to be trying to configure
"modules/ntlm_auth" to handle MSCHAP, which won't work. MSCHAP doesn't
send the password to the server; just a one-time function of it.
My advice - go back to the default configs, and ignore
"modules/ntlm_auth". It's not really intended for use as-is; it's a
sample config for people to build on if the have advanced knowledge of
the server.
Re-read the stuff on deployingradius.com - if you're trying to do
WPA-Enterprise (aka 802.1x) then it is definitive. If you're trying to
do something else, describe what, and show a *full* debug of a client
trying and failing.
More information about the Freeradius-Users
mailing list