hi Fajar I did read the replies as well as Alan's page. Being a newbie to FR i actually started with that only.
On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <l...@fajar.net> wrote: > Did you REALLY read the replies sent to this list? > Did you REALLY read Alan's page, > http://deployingradius.com/documents/configuration/active_directory.html > to the end? > > The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. Have tried upgrading the package but its already in the latest version. > If yes, you'd know that: > - radtest can send mschap request as well (see 'radtest -h') > The only changes I have done to default config is in the inner tunnel or default file. Attaching the same if you may have a look. I have never blamed Alan that his recipe is flawed. > - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth', > contains detailed instruction on how to make FR works with AD and pap. > If you can't get it to work, that means you're doing something wrong. > Probably editing some entries you shouldn't, since your ntlm_auth > result is OK (which means samba + AD part is working correctly). It's > perfectly fine to be creative and edit the config file as you see fit, > but ONLY if you know what you're doing. If you're given a recipe, and > choose to stray from it, and messed up, don't blame the guy who > created the recipe. > The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works. > - Also on Alan's page, there's the section 'Configuring FreeRADIUS to > use ntlm_auth for MS-CHAP'. That pretty much answers the last part of > your question, but ONLY if you already got pap working properly. > Attaching the inner tunnel and default file, please go through the same and point out if something is amiss..... Default File ------------------------------------------------------------------------------ authorize { preprocess # auth_log chap mschap # digest # wimax # IPASS suffix # ntdomain eap { ok = return } # unix # files # sql ntlm_auth # etc_smbpasswd # ldap # checkval expiration logintime pap #if(!control:Auth-Type) { #update control { # Auth-Type = "ntlm_auth" #} #} # Autz-Type Status-Server { # # } } authenticate { Auth-Type NTLM_AUTH { ntlm_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam # unix # Auth-Type LDAP { # ldap # } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } INNER TUNNEL FILE -------------------------------------------------- server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap # unix # IPASS suffix # ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files #sql ntlm_auth # etc_smbpasswd # ldap # daily # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam ntlm_auth # unix # Auth-Type LDAP { # ldap # } eap } -- Regards Dhiraj Gaur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html