Trouble with FR3 users file format
Diggins Mike
diggins at mcmaster.ca
Tue Jan 1 21:22:08 CET 2019
Hello and Happy New Year!
I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2).
userid2 Auth-Type = ntlm_auth
Reply-Message = "attr1, attr2"
guest002 Auth-Type = ntlm_auth
Reply-Message = "attr1, attr2"
userid3 Auth-Type = ntlm_auth
Reply-Message = "attr1, attr2"
userid4 Auth-Type = ntlm_auth
Reply-Message = "attr1, attr2"
DEFAULT Auth-Type = ntlm_auth
Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.
Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.
If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.
It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?
-Mike
More information about the Freeradius-Users
mailing list