Hi Alan, Thanks for the help! This works well and lessens the confusion on my part.
I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK. rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14, length=63 User-Name = "SITEONE\\hhoffman" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SITEONE\hhoffman", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "SITEONE" for User-Name = "SITEONE\hhoffman" [ntdomain] Found realm "SITEONE" [ntdomain] Adding Stripped-User-Name = "hhoffman" [ntdomain] Adding Realm = "SITEONE" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++? if (!Realm) ? Evaluating !(Realm) -> FALSE ++? if (!Realm) -> FALSE ++? elsif (Realm == "siteone.edu") ? Evaluating (Realm == "siteone.edu") -> FALSE ++? elsif (Realm == "siteone.edu") -> FALSE ++? elsif (Realm == "SITEONE") ? Evaluating (Realm == "SITEONE") -> TRUE ++? elsif (Realm == "SITEONE") -> TRUE ++- entering elsif (Realm == "SITEONE") {...} [siteone_ntlm_auth] expand: --username=%{Stripped-User-Name} -> --username=hhoffman [siteone_ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 +++[siteone_ntlm_auth] returns ok ++- elsif (Realm == "SITEONE") returns ok ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> SITEONE\hhoffman attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 14 to 127.0.0.1 port 38806 Waking up in 4.9 seconds. Cleaning up request 6 ID 14 with timestamp +864 Ready to process requests. On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote: > Harry Hoffman wrote: > > I'm following along with the docs for Autz-Type in freeradius-2.1.8, > > specifically the section about selecting between multiple instances of a > > module. > > In 2.x, there are better ways to do this. See "man unlang" for > conditionally calling a module. > > > In users.conf I have: > > DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type := > > siteone_ldap > > Please don't say "users.conf". It's the "users" file. > > The issue is that 2.x has the "inner-tunnel" virtual server, and the > documentation is left over from 1.1.x. The solution is instead to *not* > use the "users" file. Instead, do: > > authorize { > ... > if (Realm == "siteone.edu") { > siteone_ldap > } > ... > } > > This will *also* have it automatically set "Auth-Type" to > siteone_ldap, too. That's simpler than the "users" file entry, and > gives less room for mistakes. > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html