3APA3A <[EMAIL PROTECTED]> wrote:
> I have updated MS-CHAP authentication to understand cleartext password
> to avoid authentication{} misconfiguration. But 50% of questions are
> because of misconfigured LDAP/SQL etc.
A substantial amount of questions are answered by "re-order mschap
in authorize". To me, that means the module is confusing, and should
be fixed.
mschap_authorize should:
- look for MS-CHAP attributes, and set
Auth-Type := MS-CHAP, if found.
mschap_authenticate should:
- create NT/LM passwords from configured User-Password,
if they don't already exist.
- check User-Password against NT/LM password, if required
(e.g. NT/LM password from SMB password file, NAS sends
User-Password)
- check MS-CHAPv1, MS-CHAPv2 authentication.
All of the SMB password file related code should be removed. It
makes the module larger, more complicated, and harder to configure
correctly.
I'm in the process of doing this now. The 'rlm_passwd' module
should be used to pull NT/LM passwords from a SMB password file.
The SMB-Account-CTRL attribute may be useful in the module, but I
haven't decided yet. But I can't find any documentation saying why
that attribute is being used...
> I think it's time to update all examples in documentation and
> configuration to include := operation for User-Password instead of
> ==.
That's should probably be done, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
