> I have a server successfully authenticating users using eap-mschapv2 or > eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system > to include authorisation/authentication for console and telnet access to > cisco switches. > > For telnet access, I now have: > > A new file modules/ntlm_auth which contains, > > exec ntlm_auth { > wait = yes > program = "/usr/sfw/bin/ntlm_auth --request-nt-key > --username=%{User-Name} --password=%{User-Password}" > } > > At the end of the users file, > > DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type := > ntlm_auth
Put this after pap in authorize section of default virtual server instead: if(!control:Auth-Type) { update control { Auth-Type - "ntlm_auth" } } > And at the end of the sites-enabled/default and sites-enabled/inner-tunnel > authenticate sections, immediately after eap > > ntlm_auth > > It works though interestingly (for me at least) if I comment out ntlm_auth > from the inner-tunnel file, the server fails to start with an > "Unknown value ntlm_auth for attribute Auth-Type" error. I don't > understand that as I don't want to use this authentication method with > peap! That's because users file is common for both (all) virtual servers. If you use that unlang you don't need an entry in inner-tunnel server. > Obviously the users entry above only works for a single switch as the IP > address is specified. Next step is to specify groups of switches. Just adapt if statement so it fires when you want it to. You can add Huntgroup-Name oor something like that into it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html