allowing multiple Auth-Type in authorize file
Alan DeKok
aland at deployingradius.com
Sat Mar 23 19:54:34 CET 2019
On Mar 23, 2019, at 10:28 AM, Niels Tomey <niels at ixs.ph> wrote:
> I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins
> based on LDAP/AD accounts (with group membership in post-auth) and this
> works fine. I followed the guide on deployingradius.com (
> http://deployingradius.com/documents/configuration/active_directory.html),
> but haven’t implemented the mschap section as I didn’t need it at the time.
Ok.
> Now I am running into this need and I was trying to figure out why it
> wasn’t working only to discover that I left the
>
> DEFAULT Auth-Type = ntlm_auth
>
> Line in the mods-config/files/authorize file. As expected this breaks my
> attempts to include mschap.
Yes. You can set that only if there's no MS-CHAP attributes.
> My problem is that this is the only non-commented line in the entire file,
> so rather than just delete the line I need to enter some other information
> here to prevent the
>
> ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes.
> In the comments in the file it states that multiple DEFAULTs can be used
> with Fall-Through so I tried this:
>
> DEFAULT Auth-Type = ntlm_auth
>
> Fall-Through = Yes
>
> DEFAULT Auth-Type = mschap
>
> But this doesn’t work.
Yes. Don't set multiple Auth-Types.
Plus, the "users" file can't really do complex if / then / else checks. Use "unlang" for that.
> What is the best approach for this? I would like to
> avoid having to name my users here since they are in ldap already and I
> don’t know if a device will only authenticate using mschap or not (e.g. it
> will be difficult to split this out in the clients.conf file).
Delete the Auth-Type entries from mods-config/files/authorize . Then edit sites-enabled/default:
authorize {
...
mschap # sets Auth-Type mschap for MSCHAP stuff...
...
#
# If it's PAP, use ntlm_auth
#
if (User-Password) {
update control {
Auth-Type := ntlm_auth
}
}
pap
}
That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list