Nathan McDavit-Van Fleet wrote: > I have a users file with name and password. I would like Freeradius to check > if there is a good username/password in the users file before failing using > ntlm_auth.
That's not quite it... the "users" file *sets* the "known good" password in the "authorize" stage of the server. The "pap" or "chap" module *checks* the password. > As I said I currently have a good working copy of Freeradius with ntlm_auth > configuration. However, when I have ntlm_auth in > inner-tunnel->"authenticate" section, the username/password in the users > file no longer works. So if I disable the entry "ntlm_auth" from the > authenticate the users file works again. Again... that is confusing authentication with authorization. > I know that the username is unique to my users file (it doesn't exist on > AD). > > I just need it so when ntlm_auth fails, it checks the known password from > the users file. > > So is this a case of me having to see if there is a known good password > before trying ntlm_auth? Possibly. However, I have *no idea* what you've configured. The default configuration doesn't have an "ntlm_auth" entry in sites-available/inner-tunnel, and none of the "howtos" I've written would result in this behavior. Please post a sample of your configuration. How does it know to run ntlm_auth in the authenticate method? Odds are you've configured it to *force* ntlm_auth authentication, even when there's an entry in the "users" file. The simple answer is "don't do that". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html