> On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote: >> At 03:27 PM 11/30/2009, David Mitchell wrote: >>> 1) Don't specify the Auth-Type. You still want to check the password I >>> assume. I think your config will let in any user who is in group >>> "Group1" irrespective of the supplied password. >> >> Sigh. Here I was all excited that I had everything working, and was >> merrily working on my docs and making them into a HOWTO. And you're >> right on target. Correct user ID any password permits access. >> >> So here's my users file once I take that out: >> DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == >> "Infrastructure" >> Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15" >> DEFAULT Auth-Type = ntlm_auth >> >> And now it doesn't work. >> "Authentication failed". >> >> If I switch the order I get: >> "Authorization failed" > > You need to set fall-through so that you still do per user processing. > This is documented in the raddb/users file and you should also read > doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry. Ivan Kalik Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html