On Fri, Jul 30, 2004 at 01:10:49PM -0400, Alan DeKok wrote: > Dave Mussulman <[EMAIL PROTECTED]> wrote: > > Inside, where the PEAP/MS-CHAPv2 supplied login is being verified. > > To authenticate EAP-MSCHAP, the server ends up calling the MSCHAP module. > > The MS-CHAP-Use-NTLM-Auth attribute (value yes,no) controlls whether > or not the MSCHAP module uses ntlm_auth. > > So.. configure mschap to use ntlm_auth, and then for the users which > *are* found in SQL, set "MS-CHAP-Use-NTLM-Auth = no".
That's a neat trick, and successfully does what I want. Thank you. That attribute isn't documented anywhere other than the source code (that I could find.) You might want to slip that in the radiusd.conf as a commented out placeholder, or add something to the docs directory for ntlm_auth. (I would write and submit it, but I only have an elementary understanding of what goes on there.) In summary, I am doing EAP/PEAP authentication and want to authenticate off a flatfile/database. If the user is not in those sources, fall back to AD authentication. (In my environment, this allows WPA/EAP to be out of the password management business, except for guest accounts we setup.) If I comment out the ntlm_auth attribute in radiusd.conf, RADIUS authenticated off the flatfiles online. If I uncomment, it only authenticates against via ntlm_auth and the AD. I changed my users file to read: chris User-Password == "chris", MS-Chap-Use-NTLM-Auth := 0 and it worked. If I login as chris, it authenticates off the plaintext user-password. If I login as anything else, it falls back to the ntlm_auth. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
