On Thu, 2004-01-08 at 18:39, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > As can be seen it says 'Login OK' but seems to be missing the: > > > > Sending Access-Accept of id 209 to 127.0.0.1:40603 > > MS-CHAP2-Success = > > 0x01533d36364635423233344331414344363438463746353946443832353834324437424131433645464332 > > Ah, yes. For that, the server needs access to the user's password. > > Since you want it to authenticate *anyone* using MS-CHAP, you'll > need to supply all the server with all of their passwords. In which > case, you might as well let the MSCHAP module just authenticate them > normally. > > MS-CHAPv2 is two-way authentication. There's no way to get around > that. > Okay, many thanks. I think that confirms what I was beginning to suspect. As initially mentioned this all arose from a disaster recovery test of our servers. The problem being caused by the fact that we only have one MS IAS server and in losing that server we would need to let all users through RADIUS. I think we will either need to get another IAS server, or perhaps get freeradius to use LDAP calls as a fallback - we have resilient servers providing ldap information for our web caches. (I think I prefer this option :-))
Many thanks for all your help. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
