Steve,
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured....
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
<snip>
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "burst01" with CHAP password
rlm_chap: Could not find clear text password for user burst01
modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
You can't do this.
If you want to do ntlm_auth, you need to use an authentication protocol
that provides FreeRADIUS with either the user's (1) cleartext
credentials or (2) the user's NT credentials.
CHAP won't work - it's impossible. However PAP will work, as will
MS-CHAP. CHAP is different from MS-CHAP.
best regards, josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
