-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
Alan DeKok wrote: > Andreas Haumer <[EMAIL PROTECTED]> wrote: > >>2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication. >> This is not trivial and requires some fiddling. > > > Absolutely not. If you configure a user && clear-text password, > then MSCHAPv2 authentication will work the first time you try it in > the default configuration. > But clear-text passwords are in many situations a no-no and usually you already have the sambav3 schema which gives you the windows password hashes which will work with mschapv2 authentication > >>2.2.3) in radiusd.conf I have the authorized and authenticate >> sections configured as follows: > > > Please, please, edit those sections AS LITTLE AS POSSIBLE. > I have used the documentation from the freeradius package. Look at ldap_howto.txt to see how it is edited. > The more edits people make to those sections, the more likely they > are to break the server. The intent is that in order to use various > modules, they should be simple uncommented. > Hm. You can put it another way: a huge configuration file with lots of lines, some of them commented out, can be quite confusing for the reader. But YMMV of course... > >>IMHO there are two important parts here: >>a) in the authorize section I have the "ldap" module and the "mschap" >> module following immediately > > > They are in the reverse order in the the default "radiusd.conf". > Switching the order makes it more difficult for the server to figure > out what to do. > > >>b) in the "authenticate" section there is only the "mschap" module listed. > > > This means PAP, CHAP, and EAP won't work. > > >>As far as I can tell this works quite fine. If anyone wants to >>comment this setup or has some tips and improvements I would >>be happy to hear. Perhaps we can collect all the information and >>write an up-to-date HOWTO for this kind of application. > > > A "howto" is: CHANGE AS LITTLE AS POSSIBLE IN THE DEFAULT CONFIGURATION. > > The default configuration was created by people with years of > experience using FreeRADIUS, who understand the internals very well > (often having programmed them.) If you think you can do a better job, > you should ensure that you understand exactly what you're doing. > I of course don't think I can do a better job than you, I never wanted to make such a statement. But there is documentation in the freeradius package which also gives examples of big changes to the config files. For me it's easier to understand a small, single purpose configuration file (which has only the settings necessary for that purpose) than a big one where you have to find the relevant information between lots of irrelevant comments. - - andreas - -- Andreas Haumer | mailto:[EMAIL PROTECTED] *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYrYpxJmyeGcXPhERAvN0AJ9XrOGxqAUrunRJFCQEk/b3izjDqwCfaNYD w+merCVfrNHCsSbRUkWDFwo= =2cP9 -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html