allowing multiple Auth-Type in authorize file

Niels Tomey niels at ixs.ph
Sun Mar 24 15:27:37 CET 2019 

authorize {
        ...
        mschap # sets Auth-Type mschap for MSCHAP stuff...
        ...

        #
        # If it's PAP, use ntlm_auth
        #
        if (User-Password) {
                update control {
                        Auth-Type := ntlm_auth
                }
        }
        pap
}


That makes perfect sense, I noticed while testing stuff that the
User-Password remains empty when the incoming request is mschap but the
config forces ntlm_auth.

Will have to wait until I'm in the office tomorrow but I can see how this
works.

Thanks for pointing me in the right direction!

Niels


On Sun, Mar 24, 2019, 02:58 Alan DeKok <aland at deployingradius.com> wrote:

> On Mar 23, 2019, at 10:28 AM, Niels Tomey <niels at ixs.ph> wrote:
> > I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins
> > based on LDAP/AD accounts (with group membership in post-auth) and this
> > works fine. I followed the guide on deployingradius.com (
> > http://deployingradius.com/documents/configuration/active_directory.html
> ),
> > but haven’t implemented the mschap section as I didn’t need it at the
> time.
>
>   Ok.
>
> > Now I am running into this need and I was trying to figure out why it
> > wasn’t working only to discover that I left the
> >
> > DEFAULT     Auth-Type = ntlm_auth
> >
> > Line in the mods-config/files/authorize file. As expected this breaks my
> > attempts to include mschap.
>
>   Yes.  You can set that only if there's no MS-CHAP attributes.
>
> > My problem is that this is the only non-commented line in the entire
> file,
> > so rather than just delete the line I need to enter some other
> information
> > here to prevent the
> >
> > ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
>
>   Yes.
>
> > In the comments in the file it states that multiple DEFAULTs can be used
> > with Fall-Through so I tried this:
> >
> > DEFAULT              Auth-Type = ntlm_auth
> >
> > Fall-Through = Yes
> >
> > DEFAULT              Auth-Type = mschap
> >
> > But this doesn’t work.
>
>   Yes.  Don't set multiple Auth-Types.
>
>   Plus, the "users" file can't really do complex if / then / else checks.
> Use "unlang" for that.
>
> > What is the best approach for this? I would like to
> > avoid having to name my users here since they are in ldap already and I
> > don’t know if a device will only authenticate using mschap or not (e.g.
> it
> > will be difficult to split this out in the clients.conf file).
>
>   Delete the Auth-Type entries from mods-config/files/authorize .  Then
> edit sites-enabled/default:
>
> authorize {
>         ...
>         mschap  # sets Auth-Type mschap for MSCHAP stuff...
>         ...
>
>         #
>         # If it's PAP, use ntlm_auth
>         #
>         if (User-Password) {
>                 update control {
>                         Auth-Type := ntlm_auth
>                 }
>         }
>         pap
> }
>
>   That should work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list