Dear Roman Bessyadovskii,
Including mschap into authorize{} section with "authtype" configured in
mschap module configuration informs mschap module it should
automatically detect MS-CHAP handshake and set auth to MS-CHAP if one is
found.
I see 2 possible solutions:
1. Remove authtype in mschap configuration. If you need both PAP and
MS-CHAP to work you can create authenticate{} group from pap and mschap.
2. Add SMB-Account-CTRL parameter.
SMB-Account-CTRL should be 16 for normal account, 17 for disabled account
and 1025 for auto locked account. In general case it's combination
of OR'ed flags:
#define ACB_DISABLED 0x0001 /* 1 = User account disabled */
#define ACB_HOMDIRREQ 0x0002 /* 1 = Home directory required */
#define ACB_PWNOTREQ 0x0004 /* 1 = User password not required */
#define ACB_TEMPDUP 0x0008 /* 1 = Temporary duplicate account */
#define ACB_NORMAL 0x0010 /* 1 = Normal user account */
#define ACB_MNS 0x0020 /* 1 = MNS logon user account */
#define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */
#define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */
#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */
#define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */
#define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */
(ACB_NORMAL should always present, otherwise account is ignored)
Having SMB-Account-CTRL gives you additional advantage, because you
Windows users will get valid message ("account disabled" or "account
locked out") instead of "invalid password".
--Friday, January 24, 2003, 10:45:15 AM, you wrote to
[EMAIL PROTECTED]:
RB> Hi All.
RB> I need to setup vpn server with radius login and store passwords in sql.
RB> I have install all correctly (poptop, ppp, freeradius, mysql), and
RB> configure, users can connect, and go throw the vpn.
RB> And, i what to temporary disable user, but i can't.
RB> That's what i do.
RB> mysql> select * from radcheck;
RB> +----+----------+---------------+----+--------+
RB> | id | UserName | Attribute | op | Value |
RB> +----+----------+---------------+----+--------+
RB> | 1 | test | User-Password | == | test |
RB> | 2 | test | Auth-Type | == | Reject |
RB> +----+----------+---------------+----+--------+
>>From radiusd.conf :
RB> authorize {
RB> preprocess
RB> chap
RB> suffix
RB> sql
RB> #
RB> # If the users are logging in with an MS-CHAP-Challenge
RB> # attribute for authentication, the mschap module will find
RB> # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
RB> # to the request, which will cause the server to then use
RB> # the mschap module for authentication.
RB> mschap
RB> }
RB> As describd in comment, MS-CHAP add (or rewrite) Auth-Type for MS-CHAP and
RB> user can login independent of Reject in sql table.
RB> If in authorize section i switch sql and mschap module and set next order
RB> authorize {
RB> ...
RB> mschap
RB> sql
RB> }
RB> In that configuration i recive reject if disble user in sql table, but also
RB> recive reject with normal (not disabled users) with following log (radiusd
RB> -X).
RB> rlm_sql (sql): Released sql socket id: 4
RB> modcall[authorize]: module "sql" returns ok
RB> modcall: group authorize returns ok
RB> rad_check_password: Found Auth-Type MS-CHAP
RB> auth: type "MS-CHAP"
RB> modcall: entering group authtype
RB> rlm_mschap: No LM/NT password configured. Check authorization.
RB> modcall[authenticate]: module "mschap" returns invalid
RB> modcall: group authtype returns invalid
RB> auth: Failed to validate the user.
RB> Login incorrect: [test/<no User-Password attribute>] (from client localhost
RB> port 0)
RB> Delaying request 0 for 1 seconds
RB> How i need to configure radius for propertly work?
RB> Or how i can disable user in that configuration?
RB> Thaks.
RB> Rick.
RB> -
RB> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
�� � ������, ������, ���������� ������������ ��� ������ �������. (����)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
