Authenticate via AD and via local "users" file

DUPALUT, Benjamin benjamin.dupalut at esiee.fr
Thu Mar 1 12:53:22 CET 2018


Hi Alan,

Thank you for your reply and your advices. It works now.

Cordialement,

*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr

2018-02-28 19:02 GMT+01:00 Alan DeKok <aland at deployingradius.com>:

> On Feb 28, 2018, at 12:53 PM, DUPALUT, Benjamin <benjamin.dupalut at esiee.fr>
> wrote:
> > I'm using a pfsense server as captive portal to authenticate users on my
> > WiFi network. The captive portal is set to interrogate my freeradius
> server.
> >
> > My freeradius server can already authenticate users via my AD using
> > winbind. I also need local account (via "users" file) to create some
> > temporary "WiFi" account for guests.
>
>   How do you decide which one to use?
>
> > My problem is that it seems that when freeradius receive an mschap
> request,
> > it only interrogate the AD and do not check the local "users" file :
>
>   Because you configured it to do that...
>
> > *Radtest output :*
>
>   Don't post that.  Read this:  http://wiki.freeradius.org/list-help
>
> > *freeradius -X output :*
>
>   With lots and lots of blank space, and debug output which is massively
> reformatted and unreadable.
>
>   The short answer is that if you set a "known good" password for the
> user, and tell it to *not* use NTLM-Auth:
>
> bob     Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := no
>
>  Then the MS-CHAP module will do that.
>
>   This is documented in the comments in raddb/mods-available/mschap.
> Please read that for further information.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list