On a test deployment I've both mysql and ntlm (AD) configured.
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal I've verified that only
sql works.
If I add in users DEFAULT Auth-Type = ntlm_auth, then also AD users
On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By ntlm you mean the mschap module calling the ntlm_auth helper, yes?
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal
Phil…really helpful. Thanks !!!
On 11/mag/2012, at 13:43, Phil Mayers wrote:
On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By ntlm you mean the mschap module calling the ntlm_auth helper, yes?
If I use EAP no problem
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
into other format that used in ntlm_auth.
Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358
Radius –X output for Ntlm_auth: expand:
--challenge=%{%{mschap:Challenge}:-00} -
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
into other format that used in ntlm_auth.
Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358
Radius –X output for Ntlm_auth: expand:
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
2012/4/24 Phil Mayers p.may...@imperial.ac.uk
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet
into
متأسفانه فرستادم...
2012/4/24 Ali Majdzadeh ali.majdza...@gmail.com
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
2012/4/24 Phil Mayers p.may...@imperial.ac.uk
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked
Ali Majdzadeh wrote:
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
We did.
The RFC's are clear. The source code in rlm_mschap is clear.
This list is about FreeRADIUS. It is *not* the place to learn how
MS-CHAP
On 24/04/12 15:48, Ali Majdzadeh wrote:
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
I'm sorry, I don't understand you.
This discussion has become off-topic for this list. I'm afraid you are
going to have to work this
On 04/15/2012 09:51 PM, Ali Majdzadeh wrote:
Hi
Tnx for Ur fast reply.
As I explained, I know that the format is differ from the original
attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and
response attributes to which they can be used in
Hi
Tnx for Ur fast reply.
As I explained, I know that the format is differ from the original
attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and
response attributes to which they can be used in command line?
In other word, I want to use
Ali Majdzadeh wrote:
As I explained, I know that the format is differ from the original
attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and
response attributes to which they can be used in command line?
You read the MS-CHAP RFCs, and
Hi
I’m using FreeRadius 2.1.12 wih mschap and ntlm_auth external execution
module as follows:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
with radius –X , I saw that the challenge and response is differ from
that
I got in auth_log in same session. So if I run ntlm_auth with new
values,
it’s OK! what’s wrong?
Freeradius processes the mschapv2 challenge into a different format required by
samba. There's nothing wrong. This is
.1045715.n5.nabble.com/mschap-NTLM-and-different-membership-of-with-variables-tp5433169p5433223.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy
confused atm, what I can realy use, everytime I think its fine, I found another
unsecure thing :/
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a plain text
password, or the NTLM hash of the password.
If your LDAP directly has plain text passwords, or NTLM hashes, then you
can use it for authentication.
You can use LDAP for authorization in any case.
Regards,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
-CHAPv2, LDAP has to provide FR with either a plain text
password, or the NTLM hash of the password.
If your LDAP directly has plain text passwords, or NTLM hashes, then
you can use it for authentication.
You can use LDAP for authorization in any case.
Regards,
James
-
List info
another unsecure thing :/
To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text
password, or the NTLM hash of the password.
If your LDAP directly has plain text passwords, or NTLM hashes, then
you can use it for authentication.
You can use LDAP for authorization in any case
On 10/23/2011 06:03 PM, Andreas Rudat wrote:
another problem, I tried to test the connection with
ntlm_auth --request-nt-key --domain=foo.bar --username=test --password=test
and get the message
NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008)
Samba problem. Consult the samba docs or
Am 23.10.2011 22:04, schrieb Phil Mayers:
On 10/23/2011 06:03 PM, Andreas Rudat wrote:
another problem, I tried to test the connection with
ntlm_auth --request-nt-key --domain=foo.bar --username=test
--password=test
and get the message
NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008)
the client enter his username and password it's come to FreeRADIUS
and do Authentication via NTLM-AUTH Active Directory to verfiy user entry
Then do Authorization via mysql .
# If the user found in Active Directory only and not existing in Myql will
login without any policy like Limited Download and login
This my second post
and no reply
UP UP
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/NTLM-Auth-and-mysql-tp4499034p4499945.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of motaibi
Sent: Friday, June 17, 2011 3:50 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: NTLM Auth and mysql
This my second post
and no reply
UP UP
--
View this message in context:
http
: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of motaibi
Sent: Friday, June 17, 2011 10:08 AM
To: freeradius-users@lists.freeradius.org
Subject: NTLM Auth and mysql
Dear Guys,
i have this setup
-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Sallee, Stephen (Jake)
Sent: Friday, June 17, 2011 4:06 PM
To: FreeRadius users mailing list
Subject: RE: NTLM Auth and mysql
I should also note that all
I'm sorry man , but it's real related to freeradius
it's my main software
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/NTLM-Auth-and-mysql-tp4499034p4500064.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe
+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of motaibi
Sent: Friday, June 17, 2011 4:43 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: NTLM Auth and mysql
I'm sorry man , but it's real related
Hi Gary
Thanks man for reply i will try with some of Mysql forms
and meanwhile ask your web team how he did it ?
i real appreciate help dude
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/NTLM-Auth-and-mysql-tp4499034p4500070.html
Sent from the FreeRadius - User
Sent: Friday, June 17, 2011 4:49 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: NTLM Auth and mysql
Hi Gary
Thanks man for reply i will try with some of Mysql forms
and meanwhile ask your web team how he did it ?
i real appreciate help dude
--
View this message in context:
http
motaibi wrote:
I'm sorry man , but it's real related to freeradius
it's my main software
If you don't believe the answers on this list, why are you asking
questions here?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I am authenticating my Cisco devices by integrating FreeRadius with Active
Directory. Not using LDAP but ntlm_auth.
Now If I make a group on my AD server for example Router Admins and put some
users in it. Now, where would I define in the FreeRadius that only users from
Router Admin
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
microsoft appears to be making steps to kill NTLM as it isn't secure
On Tue, 23 Nov 2010, Phil Mayers wrote:
On 23/11/10 15:43, JR Mayberry wrote:
Is there a preferred method for doing EAP (from Wireless infrastructure
JR Mayberry wrote:
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
microsoft appears to be making steps to kill NTLM as it isn't secure
Read that as people are using it in open source products.
The security issues with NTLM are well known, and haven't changed in
10
On 11/24/2010 06:10 PM, JR Mayberry wrote:
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
microsoft appears to be making steps to kill NTLM as it isn't secure
It is important to distinguish between NTLM-the-wire-protocol, and
ntlm_auth, the Samba helper binary, which
Is there a preferred method for doing EAP (from Wireless infrastructure)
to
Active Directory for authentication via FreeRADIUS? Or is there an
alternative to EAP?
It appears that NTLM is being deprecated and Samba is removing support in
RedHat 5 but NTLM seems to be the current
On 23/11/10 15:43, JR Mayberry wrote:
Is there a preferred method for doing EAP (from Wireless infrastructure)
to
Active Directory for authentication via FreeRADIUS? Or is there an
alternative to EAP?
Samba domain membership and callout to the ntlm_auth helper binary.
It appears that NTLM
I am having two problems and not sure where to look
From the Users file
userjeff Cleartext-Password := BADPASS
Juniper-Local-User-Name = engineer,
Service-Type = Login-User,
Reply-Message = Hello, %{User-Name},
Fall-Through = Yes
Could you please share the perl scripts and the corresponding
configuration in radiusd.conf like authorize and post-auth section
related to these logs?
Unfortunately, I would need to get a release from my company as the code
belongs to them. I cannot post it at this time. You may want to
Thanks.
Could you please share the perl scripts and the corresponding
configuration in radiusd.conf like authorize and post-auth section
related to these logs?
Schilling
On Wed, Nov 10, 2010 at 10:04 PM, Garber, Neal
neal.gar...@iberdrolausa.com wrote:
Could you please summarize what you
Could you please summarize what you did to log the output from
ntlm_auth and MS_CHAP-Error?
Sure. I should mention that other options are available now that didn't exist
when I created the solution below...
I have a PERL script that runs during authorize that obtains user/group or
Hi,
Could you please summarize what you did to log the output from
ntlm_auth and MS_CHAP-Error? Even with configuration snippet will be
greatly appreciated!
Thanks,
Schilling
On Wed, Sep 8, 2010 at 5:02 PM, Garber, Neal
neal.gar...@iberdrolausa.com wrote:
Hmm... OK. The issue appears to be
on with radius
accounting using the following scenario:
our users authenticate to the Windows Domain, and when they try to
access the internet they hit a firewall protected policy which
requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user
On 10/22/2010 07:12 AM, Ramzi Abdallah wrote:
exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.
... requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already
I have configured
freeradius version 2.1.9 with mySQL backend and Active Directory integration
(NTLM) for the purpose of using it to authenticate users against firewall
protected
policies.
So far it’s all working. When
a user hits a firewall protected policy he is prompted to authenticate
On 10/21/2010 10:40 PM, Ramzi Abdallah wrote:
I have configured freeradius version 2.1.9 with mySQL backend and Active
Directory integration (NTLM) for the purpose of using it to authenticate
users against firewall protected policies.
So far it’s all working. When a user hits a firewall
Garber, Neal wrote:
You are a gentleman and a scholar! I have made the changes as you suggested
for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the
output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved
TLS logging in 2.1.10.
:)
I will add
On Tue, 2010-09-07 at 22:26 +0200, Alan DeKok wrote:
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
for some time with no problems. They act as a proxy, receiving requests
from wireless lan controllers and
John Horne wrote:
We don't have that exact scenario, but, for whatever reason, we were
seeing the home servers being marked dead/zombie extremely frequently -
usually every few minutes.
Network packet loss, etc. ...
With the later git version (dated 1 September in the changelog file) we
Uh... eapol-test supports TTLS. See the FreeRADIUS source:
src/tests/eap-ttls-*.conf
Ugh.. I should have checked the doc. I should be able to do the TTLS change
independently (i.e., you can ignore the post to the devel list related to
this). Thanks for enlightening me :-)
-
List
Garber, Neal wrote:
I just cloned and built the latest 2.1.10 to do some testing. I did a
PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test. What I
found seems to indicate the problem I was referring to still exists in 2.1.10
(probably because I wasn't clear enough in
Hmm... OK. The issue appears to be that the tunneled reply is saved
for Access-Accept, but not Access-Reject.
See accept_vps in rlm_eap_peap/*. Something similar needs to be
done for reject, and for TTLS.
You are a gentleman and a scholar! I have made the changes as you suggested
for PEAP
Sion wrote:
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs.
sigh And the debug log says... ?
Just set use_tunneled_reply = yes
Alan DeKok.
-
List
On Tue, Sep 7, 2010 at 8:45 AM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok al...@deployingradius.com
wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my
logs.
sigh And the debug log says... ?
--On Tuesday, September 07, 2010 14:11:42 +0100 Sion mle...@gmail.com
wrote:
On Tue, Sep 7, 2010 at 8:45 AM, Alan DeKok al...@deployingradius.com
wrote:
Sion wrote:
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok al...@deployingradius.com
wrote:
Sion wrote:
I've also tried outer.reply, but
but it seems the next packet sent is a Challenge, not reject/accept.
Therefore the message does not persist until reject/accept time.
Hmm.. It seems I've heard that before:
http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00326.html
-
List info/subscribe/unsubscribe? See
Garber, Neal wrote:
but it seems the next packet sent is a Challenge, not reject/accept.
Therefore the message does not persist until reject/accept time.
Hmm.. It seems I've heard that before:
http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00326.html
Fixed in 2.1.9.
Fixed in 2.1.9.
Great (I guess missed that in the change log). Was the change to eliminate the
extra round trip? If so, would you accept a patch to set
Module-Failure-Message upon failure of ntlm_auth in rlm_mschap (as was
originally implemented in the fix for bug 398 in v1.1.4)?
Thanks
Garber, Neal wrote:
Fixed in 2.1.9.
Great (I guess missed that in the change log). Was the change to eliminate
the extra round trip?
IIRC, it was to remember replies better. When the inner tunnel
returns accept and the outer sends a challenge... remember the accept
for later.
If so,
On Tue, 2010-09-07 at 21:19 +0200, Alan DeKok wrote:
I'd like to get some feedback on the pre-release of 2.1.10, especially
the changes to the proxy code.
We have been running 3 servers with 2.1.10 (taken from git a while ago)
for some time with no problems. They act as a proxy, receiving
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
for some time with no problems. They act as a proxy, receiving requests
from wireless lan controllers and (mostly) proxying them on to MS IAS.
Is there any
On Tue, 2010-09-07 at 22:26 +0200, Alan DeKok wrote:
John Horne wrote:
We have been running 3 servers with 2.1.10 (taken from git a while ago)
The proxy change went in August 4.
Ah. Our versions date back to June. I'll see about upgrading them to a
later 2.1.10 version. (Hopefully that
I'll take a look...
Thanks.
I'd like to get some feedback on the pre-release of 2.1.10,
especially the changes to the proxy code.
I'll download the latest 2.1.10 tomorrow; unfortunately, I won't have a chance
to test it until next week. Also, we don't use proxying, at the moment, but I
IIRC, it was to remember replies better. When the inner tunnel
returns accept and the outer sends a challenge... remember the
accept for later.
I just cloned and built the latest 2.1.10 to do some testing. I did a
PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test. What
On Fri, Sep 3, 2010 at 10:30 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
This had actually crossed my mind but I had tried testing this in the
post-auth section as well.
What section should I do this in? Would something like this work?
update outer {
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs.
sigh And the debug log says... ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
I've also tried outer.reply, but I'm still not seeing it show up in my logs.
sigh And the debug log says... ?
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=113, length=175
Hi,
I've got freeradius 2.1.7 setup on a CentOS system working as an AAA server
for our WPA Enterprise based wireless network with clients successfully
authenticating using PEAP and TTLS. Now to my question, I've configured
linelog to log certain attributes but I also want it to log either the
Sion wrote:
I've got freeradius 2.1.7 setup on a CentOS system working as an AAA
server for our WPA Enterprise based wireless network with clients
successfully authenticating using PEAP and TTLS. Now to my question,
I've configured linelog to log certain attributes but I also want it to
log
On Fri, Sep 3, 2010 at 11:47 AM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
I've got freeradius 2.1.7 setup on a CentOS system working as an AAA
server for our WPA Enterprise based wireless network with clients
successfully authenticating using PEAP and TTLS. Now to my
Sion wrote:
That's what I thought, but it my linelog log it shows it being empty.
The MS-CHAP-Error is in the reply.
I've tried putting 'linelog' in the post-auth sections of both the
default and inner-tunnel virtual servers but no joy. Am I missing
something obvious here?
See the
On Fri, Sep 3, 2010 at 12:58 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
That's what I thought, but it my linelog log it shows it being empty.
The MS-CHAP-Error is in the reply.
I've tried putting 'linelog' in the post-auth sections of both the
default and inner-tunnel
Sion wrote:
Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:
Reading it helps.
The MS-CHAP-Error is in the inner-tunnel virtual server. You are
trying to log it in the default virtual server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
On Fri, Sep 3, 2010 at 3:32 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:
Reading it helps.
The MS-CHAP-Error is in the inner-tunnel virtual server. You are
trying to log it in the default virtual
Sion wrote:
That was one of the first things I did after reading the debug output
originally - I've got 'linelog' in the post-auth section of the
inner-tunnel in addition to the default virtual server.
The post-auth section of inner-tunnel isn't used, unfortunately.
If I take
linelog
On Fri, Sep 3, 2010 at 4:25 PM, Alan DeKok al...@deployingradius.com wrote:
Sion wrote:
That was one of the first things I did after reading the debug output
originally - I've got 'linelog' in the post-auth section of the
inner-tunnel in addition to the default virtual server.
The post-auth
Sion wrote:
This had actually crossed my mind but I had tried testing this in the
post-auth section as well.
What section should I do this in? Would something like this work?
update outer {
MS-CHAP-Error = %{reply:MS-CHAP-Error}
}
You need to refer to a *list*:
To: 'FreeRadius users mailing list'
Subject: RE: Users File co-existing with NTLM-Auth
Yeah, there's a way. I had / have similar requirements. I *think*
with some unlang and maybe a fall-through here or there... I haven't
quite figured this out, but I'm pretty sure it can be done. From what
I've
21, 2010 9:22 AM
To: 'FreeRadius users mailing list'
Subject: RE: Users File co-existing with NTLM-Auth
Crap.
Nathan Van Fleet
-Original Message-
From: freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org
[mailto:freeradius-users-
bounces+nmcdavit
use that to direct to different look-ups.
Otherwise I think I would try to use files with a fall-through to NTLM.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan McDavit-Van Fleet wrote:
Can someone maybe describe exactly what's happening internally?
The debug output shows exactly what it is doing, and often also shows why.
From my
understanding it should be checking files as per the setup in
inner-tunnel which is what mschap uses. I made
-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of
Alan DeKok
Sent: Wednesday, April 21, 2010 11:46 AM
To: FreeRadius users mailing list
Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
Can someone maybe describe exactly what's happening
Nathan McDavit-Van Fleet wrote:
I have a users file with name and password. I would like Freeradius to check
if there is a good username/password in the users file before failing using
ntlm_auth.
That's not quite it... the users file *sets* the known good
password in the authorize stage of
that ntlm-AD works, and so do files. It's just that files
don't work while ntlm_auth is enabled.
Nathan Van Fleet
-Original Message-
From: freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org
[mailto:freeradius-users-
bounces+nmcdavit=alcor.concordia
, it's a regular FR install. Can you tell me what configs you
want to know?
Attached are mschap and inner-tunnel since I think those would be most
relevant. Note that ntlm-AD works, and so do files. It's just that files
don't work while ntlm_auth is enabled.
I'm not sure what you mean
21, 2010 2:04 PM
To: FreeRadius users mailing list
Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.htm
l
That's a good
I was able to get ntlm-auth working with AD integration. But unfortunately
this stops the existing users in the users' file from being check. Whenever
I have the ntlm_auth = line configured in modules/mschap, my users file is
not check. If I comment out ntlm_auth the users file works again
] On
Behalf Of Nathan McDavit-Van Fleet
Sent: Tuesday, April 20, 2010 3:25 PM
To: 'FreeRadius users mailing list'
Subject: Users File co-existing with NTLM-Auth
I was able to get ntlm-auth working with AD integration. But unfortunately
this stops the existing users in the users' file from being check
Greetings,
I am trying to authenticate my network against Windows 2003 Active
Directory. With help from Ivan Kalik, I was able to use NTLM to
communicate with Windows 2003 server and authenticate EAP clients. On
the EAP side I am using PEAP since they are mostly windows XP clients
and I don't
I am trying to authenticate my network against Windows 2003 Active
Directory. With help from Ivan Kalik, I was able to use NTLM to
communicate with Windows 2003 server and authenticate EAP clients. On
the EAP side I am using PEAP since they are mostly windows XP clients
and I don't think
Hi,
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
something else than AD
I followed the recommendations and add
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
something else than AD
I followed the recommendations and add the following
Thank you!!!
On Wed, 2009-11-04 at 12:17 +, Ivan Kalik wrote:
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
Hi All,
After a bit of investigation and playing, I've made some changes to the
rlm_mschap module that seems to have fixed my problem. It now no longer
trims the machine authentication domain name, and so based on the
ntlm_auth line from Alan DeKok's How-To on deployingradius.org will handle
both
Hi,
Following up from this, I think I've discovered what the real problem here
is. I think there's a problem with the MS-CHAP module
The module looks in the username to find host/ at the beginning, and if it
does then handles it differently. Whilst it sets the username section
correctly, it
.
From:
freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org
[mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freera
dius.org] On Behalf Of Rupert Finnigan
Sent: Monday, June 01, 2009 2:59 PM
To: FreeRadius users mailing list
Subject: NTLM Auth Help
Hi,
We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as
follows:
attr_rewrite machine_UserName {
attribute = User-Name
searchin = packet
searchfor = ^host/(.*).domain.name
replacewith =
why? with recent versions of FreeRADIUS this just works(tm) with no
rewriting needed
- just ensure that the ntlm_auth line has the correct arguments and
you have the ntdomain stuff turned on .
we used to have all kinds of hacky stuff in our config...almost all
of it is now wiped away
Hi,
2009/6/2 a.l.m.bu...@lboro.ac.uk
why? with recent versions of FreeRADIUS this just works(tm) with no
rewriting needed
- just ensure that the ntlm_auth line has the correct arguments and
you have the ntdomain stuff turned on .
I've tried, and can't make the default work. I've got
Hi,
If I follow the logic as supplied by Neil, and remove the --domain option
then this works fine for all users in all domains, and machines in same
domain that winbind was joined to, but not machines from remote domains. If
ah! multiple remote domains - not in a forest of trust?
I can't
1 - 100 of 187 matches
Mail list logo