[EXT] Re: 802.1X - ldap AND users file

[Brian Julin]

Alan DeKok via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>On Apr 1, 2026, at 11:22 AM, cedric Delaunay <cedric.delaunay at insa-rennes.fr> wrote:
>> I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file
>> - user is logged-in on device so that is real username is kown only by inner-tunnel
>> - user isn't known by ldap (that's why I try with "users" file)
>> - user's password may change so that I don't want to check it

>  This allegedly works.  It was posted to the list a while back.  I haven't had a chance to test it in detail, or figure out exactly what Windows is doing with it.

> authorize {
> ...
>      update {
>           &control:SMB-Account-CTRL-TEXT := '[N]'
>           &reply:MS-CHAP2-Success = 'password-free'
>       }
>  ..
>
>  That allegedly works for MS-CHAP authentication.  I've tried it with PEAP, and got nowhere.

Hrm... well I hope not.  Otherwise MS has made some evil twins pretty happy.

If it isn't some leftover legacy thing then it'll be another "thousand cut" move in pursuit of their pipe dream of passwordless-everything, done with little to no regard for the realities of running an enterprise level BYOD network.

Sigh, I'm getting sick of the bi-annual break-fix cycle at the mercy of major players' supplicant behaviors.  Well... at least Android finally fixed their stuff.