On Fri, Jul 15, 2011 at 9:28 AM, Nick Kartsioukas <lists.freerad...@change.nightwind.net> wrote: > The LDAP queries are against the AD server, btw. I forgot to paste the > mschap module config, but that's pretty basic... > > mschap mschap_cuesta { > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA > --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > }
Ah, OK. I think this will not work authenticate { Auth-Type CUESTA { eap_cuesta mschap_cuesta } } ... as it means "do eap, and AFTER THAT do mschap". That roughly means mschap will be processed if eap does not return handled/success. What you want is "do eap, and inside eap do mschap". So try changing it to authenticate { Auth-Type CUESTA { eap_cuesta } } and on the eap section, add the lines pointing to an inner tunnel, something like this eap eap_cuesta { ... peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel-cuesta" } ... } then create a NEW config file to handle the virtual server inner-tunnel-cuesta (use sites-available/inner-tunnel as a base). On this virtual server you need to configure mschap and ntlm_auth. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html