John Horne <[EMAIL PROTECTED]> wrote:
...
> This all works fine; the user is authenticated and radiusd sees that
> MS-CHAPv2 is being used (and is to be used).
Hmm... so MS-CHAPv2 works, as I suspected. Recent discussion on the
list says it's broken on some systems, but I don't know why.
> However, if I simply change the users file entry to:
>
> fred Auth-Type := Local, User-Password != "anything"
>
> Specifying that the pwd should not be 'anything' then it doesn't work.
> That is, I cannot authenticate. The radiusd output shows:
I don't see why you would expect that user to authenticate.
> My thought was to make a default entry such as:
>
> DEFAULT Auth-Type := Local, User-Password != "something"
>
> I have tried, from the FAQ, using just 'Auth-Type = Accept' but although
> radiusd seems to accept the user and password, the connection then
> fails.
Hmm... that's probably an issue with the MS-CHAP module.
OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for:
vp = pairmake("Auth-Type", authtype_name, T_OP_SET);
change the T_OP_SET to T_OP_EQ, and re-compile & install the
module. It should work then.
> Anyone got any suggestions about this. Relevant parts of the
> radiusd.conf are below, but simply change the users file entry operator
> from '==' to '!=' surely shouldn't cause a problem? All the encryption
> stuff should work because instead of comparing the users file password
> with the one the user enters when connecting should simply check for
> equality or not. When '==' is used they should be equal, when '!=' is
> used the should not be equal.
Due to the way passwords are checked, it doesn't quite work that
way.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
