Authenticate via AD and via local "users" file
Alan DeKok
aland at deployingradius.com
Wed Feb 28 19:02:22 CET 2018
On Feb 28, 2018, at 12:53 PM, DUPALUT, Benjamin <benjamin.dupalut at esiee.fr> wrote:
> I'm using a pfsense server as captive portal to authenticate users on my
> WiFi network. The captive portal is set to interrogate my freeradius server.
>
> My freeradius server can already authenticate users via my AD using
> winbind. I also need local account (via "users" file) to create some
> temporary "WiFi" account for guests.
How do you decide which one to use?
> My problem is that it seems that when freeradius receive an mschap request,
> it only interrogate the AD and do not check the local "users" file :
Because you configured it to do that...
> *Radtest output :*
Don't post that. Read this: http://wiki.freeradius.org/list-help
> *freeradius -X output :*
With lots and lots of blank space, and debug output which is massively reformatted and unreadable.
The short answer is that if you set a "known good" password for the user, and tell it to *not* use NTLM-Auth:
bob Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := no
Then the MS-CHAP module will do that.
This is documented in the comments in raddb/mods-available/mschap. Please read that for further information.
Alan DeKok.
More information about the Freeradius-Users
mailing list