Wifi + Active Directory without ntlm

[Клеусов Владимир Сергеевич]

hanks, Working version of Tttls/pap and ldap module.


In /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
	private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key
	certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem
	ca_file = /etc/freeradius/certs/ca-certificates.crt
	dh_file = ${certdir}/dh
	ca_path = ${cadir}
	cipher_list = "HIGH"
	cipher_server_preference = no
	ecdh_curve = "prime256v1"
	check_crl = no
	}
	ttls {
         tls = tls-common
         default_eap_type = md5
         copy_request_to_tunnel = no
         use_tunneled_reply = yes
         virtual_server = "inner-tunnel"
         }
}

But group access doesn't work.

In /etc/freeradius/users
LDAP-Group == "VPN_GROUP"
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject

/etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name
Failed reading /etc/freeradius/mods-config/files/authorize
/etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files"

Is it possible to configure group access in this configuration ?

> 19 мая 2020 г., в 16:04, Alan DeKok <aland at deployingradius.com> написал(а):
> 
> 
> 
>> On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
> 
> That's a little confused.
> 
> Doing MS-CHAP to AD requires ntlm_auth.
> 
> If you have PAP, you can do normal LDAP bind to AD.
> 
> If you're not using AD, then FreeRADIUS supports all standard encryption types.  But these only work for PAP.  NT hashed passwords also work for MS-CHAP.
> 
> Alan DeKok.
>