Hi, On Tue, Jul 09, 2013 at 10:58:15AM -0700, Julian Macassey wrote: > On 2013-07-09 at 10:18, Matthew Newton (m...@leicester.ac.uk) wrote: > > Try adding the following to the *top* of your users file: > > > > evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0 > > When I use the users file, it works. In fact, every possible auth > protocol works: ... > I will persevere. I have seen that in the 1.* release > there was an "Auth-Type System", which was for system username > password.
Auth-Type System is obsolete and likely won't do what you want. What you want can be done, but you need to fixup some things. First to note (as said before) and importantly, your client is configured to use PEAP/MS-CHAPv2. That *won't* work with /etc/password, full stop. There is no way to get that to work, so there's no point looking any more. If you change your client to use EAP-TTLS/PAP, then you should be able to get it to work. This is because the client will then send the cleartext password (inside the TTLS encrypted tunnel) which can be used to check against the /etc/shadow hash. In your modules directory, configure 'passwd' to read the /etc/passwd or /etc/shadow file appropriately. Make sure that freeradius has permission to read shadow, which is normally restricted. In your sites-enabled/inner-tunnel file, add 'etc_passwd' (or whatever the name of the passwd module is in modules/passwd) into the authorize section near the top (definitely above 'pap'). In your eap.conf you can edit default_eap_type to be 'ttls' to save a bit of negotiation time when connecting, and then in the ttls{} section set default_eap_type to pap. Then watch the debug output and make sure that the client is doing EAP-TTLS/PAP. If not, fix the client as otherwise there's no chance of getting it to work. Macs and Linux should be OK. You might have problems if the system is using the newer $n$.... type passwords. It will be possible to get working, but might be harder to check if the password is OK. Try the above and send full debug output if it's still failing. Cheers Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html