You sir, are awesome Alan DeKok. Nathan Van Fleet
> -----Original Message----- > From: freeradius-users- > bounces+nmcdavit=alcor.concordia...@lists.freeradius.org > [mailto:freeradius-users- > bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of > Alan DeKok > Sent: Wednesday, April 21, 2010 2:04 PM > To: FreeRadius users mailing list > Subject: Re: Users File co-existing with NTLM-Auth > > Nathan McDavit-Van Fleet wrote: > > I followed the configuration off of deployingfreeradius.com > > > > > http://deployingradius.com/documents/configuration/active_directory.htm > l > > That's a good start. :) > > > I diff'ed my configuration with the original files. And the only > changes > > I've made is adding ntlm_auth to authenticate of both "default" and > > "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap. > > OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP. > So > are you using MS-CHAP, or PEAP? > > > Other than minor configurations to do with LDAP, which I protect with > an > > "if" statement, it's a regular FR install. Can you tell me what > configs you > > want to know? > > > > Attached are mschap and inner-tunnel since I think those would be > most > > relevant. Note that ntlm->AD works, and so do files. It's just that > files > > don't work while ntlm_auth is enabled. > > I'm not sure what you mean by "when ntlm_auth is enabled". There are > a few places where it could be enabled... which ones? > > My *guess* is that you're using PEAP, and enabling ntlm_auth in > modules/mschap. If so, then change the "authorize" section by adding > this at the end: > > if (control:Cleartext-Password) { > update control { > MS-CHAP-Use-NTLM-Auth = No > } > } > > The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments > in > the modules/mschap file. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html