I have a users file with name and password. I would like Freeradius to check if there is a good username/password in the users file before failing using ntlm_auth.
As I said I currently have a good working copy of Freeradius with ntlm_auth configuration. However, when I have ntlm_auth in inner-tunnel->"authenticate" section, the username/password in the users file no longer works. So if I disable the entry "ntlm_auth" from the authenticate the users file works again. I know that the username is unique to my users file (it doesn't exist on AD). I just need it so when ntlm_auth fails, it checks the known password from the users file. So is this a case of me having to see if there is a known good password before trying ntlm_auth? Nathan Van Fleet > -----Original Message----- > From: freeradius-users- > bounces+nmcdavit=alcor.concordia...@lists.freeradius.org > [mailto:freeradius-users- > bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of > Alan DeKok > Sent: Wednesday, April 21, 2010 11:46 AM > To: FreeRadius users mailing list > Subject: Re: Users File co-existing with NTLM-Auth > > Nathan McDavit-Van Fleet wrote: > > Can someone maybe describe exactly what's happening internally? > > The debug output shows exactly what it is doing, and often also shows > why. > > > From my > > understanding it should be checking "files" as per the setup in > > "inner-tunnel" which is what mschap uses. I made sure that "files" > appeared > > before mschap in "inner-tunnel" but it has no effect; ntlm_auths > still work > > and "files" aren't. > > See the FAQ for "it doesn't work". > > You've also confused authorization with authentication. They're > different. > > > Past that I'm not sure what I can do. Since files work without > ntlm_auth, I > > have no reason to believe I have to insert "files" anyplace new, and > I'm not > > certain what it is I should disable. It should just check files > before > > ntlm_auth. > > You've confused two independent things. The "files" module does > things like "set the 'known good' password". Any "ntlm_auth" module > involves checking the password in the packet against Active Directory. > > They are *completely* different operations. > > For Active Directory instructions, see: > > http://deployingradius.com/documents/configuration/active_directory.htm > l > > > If I implemented anything using unlang it would be checking files > before > > ntlm_auth. > > It already does that in the default configuration. > > You are stuck because you are focussed on a particular > implementation: > "files before ntlm_auth". The statement (and question behind it) are > wrong. Instead, state what you want to do. The rest should be > relatively simple. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html