MSCHAP authentication against Active directory OR MySQL

Alan DeKok aland at
Thu Jun 12 15:59:14 CEST 2014

Krzysztof Grobelak wrote:
> On my freeRADIUS instance i am able to authenticate MSCHAP requests
> against Active Directory using the ntlm_auth module and Samba
> aditionally i can authenticate another group of WiMAX devices with
> MACHAP against MySQL database. But if I enable the config for WiMAX
> devices the are being authenticated aginst Active Directory and not
> the MySQL db. Now I would like to be able to configure the server so
> that both groups can be authenticated local users against Active
> Directory and the WiMAX devices against database.

  That should be simple enough to do.

> Can you guys advice how i can make it happen? I suspect unlang will be
> needed to do this but if you could specify how exactly it would be
> awesome.

  Well... reading the docs && debug logs should help a lot.

> would it be something along those lines??
> authorise{
> 	mschap{

  No.  That won't work.

> 		if("%{NAS-IP-Address}" == ""){

  There's no need to put everything in quotes.

> 			sql
> 		}
> 		else{
> 			ntlm_auth
> 		}
> 	}
> }

  You should be able to just do this:

authorize {

	if (NAS-IP-Address == {
		update control {
			MS-CHAP-Use-NTLM-Auth = No

  And configure the "mschap" module, the "ntlm_auth" entry.

  Alan DeKok.

More information about the Freeradius-Users mailing list