Re: ntlm fall-through
This is a discussion on Re: ntlm fall-through within the FreeRADIUS Users forums, part of the Networking and Network Related category; This is a multipart message in MIME format. --===============0060564716== Content-Type: multipart/alternative; boundary="=_alternative 002C906AC125724A_=" This is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-20-2006
|
|||
|
|||
Re: ntlm fall-through
This is a multipart message in MIME format.
--===============0060564716== Content-Type: multipart/alternative; boundary="=_alternative 002C906AC125724A_=" This is a multipart message in MIME format. --=_alternative 002C906AC125724A_= Content-Type: text/plain; charset="US-ASCII" Alan, A month ago i configured ntlm authentication for our internal wifi users. This works fine, but now i also needed to give access to some external consultants who didn't have an AD account. I found a solution however by using the "MS-Chap-Use-NTLM-Auth := 0" variable for those users (but it would be nice if it would autom. fell through when no AD account was found) btw. i'm new to the (for me) more advanced features/internals of (free)radius, thanks for explaining me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius .org wrote on 12/19/2006 08:24:55 PM: > Stieven.Struyf@komatsu.eu wrote: > > > > All, > > Does anyone know how i can configure ntlm fall-through, eg. try to > > authenticate the user local (via password entry in users file) > > No, the "users" file doesn't authenticate anyone. It just adds a > "known good" password to the request. Some other module takes care of > authenticating the user. > > > and if > > the user isn't found use ntlm-auth(or first ntlm and afterwards userfile > > is also ok)? > > If i comment out the ntlm-auth line in the mschap section of > > radiusd.conf the user is authenticate local. > > See doc/configurable_failover. You should be able to add a statement > to the "authenticate" section saying "try FOO, and if that fails, try BAR". > > This is really not a recommended configuration, however. It is > difficult to make it work well. > > Perhaps you could say *why* you need this, rather than asking how to > implement a particular solution. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_alternative 002C906AC125724A_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Alan,</font> <br><font size=2 face="sans-serif">A month ago i configured ntlm authentication for our internal wifi users. This works fine, but now i also needed to give access to some external consultants who didn't have an AD account.</font> <br><font size=2 face="sans-serif">I found a solution however by using the "MS-Chap-Use-NTLM-Auth := 0" variable for those users (but it would be nice if it would autom. fell through when no AD account was found)</font> <br> <br><font size=2 face="sans-serif">btw. i'm new to the (for me) more advanced features/internals of (free)radius, thanks for explaining me.</font> <br> <br><font size=2 face="sans-serif">Stieven Struyf<br> M.I.S. Division - System Operations <br> Komatsu Europe International NV<br> Mechelsesteenweg 586<br> B-1800 Vilvoorde<br> Stieven.Struyf@komatsu.eu<br> Tel. +32 (0)2 2552551</font> <br> <br><tt><font size=2>freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius .org wrote on 12/19/2006 08:24:55 PM:<br> <br> > Stieven.Struyf@komatsu.eu wrote:<br> > > <br> > > All,<br> > > Does anyone know how i can configure ntlm fall-through, eg. try to<br> > > authenticate the user local (via password entry in users file)<br> > <br> > No, the "users" file doesn't authenticate anyone. It just adds a<br> > "known good" password to the request. Some other module takes care of<br> > authenticating the user.<br> > <br> > > and if<br> > > the user isn't found use ntlm-auth(or first ntlm and afterwards userfile<br> > > is also ok)?<br> > > If i comment out the ntlm-auth line in the mschap section of<br> > > radiusd.conf the user is authenticate local.<br> > <br> > See doc/configurable_failover. You should be able to add a statement<br> > to the "authenticate" section saying "try FOO, and if that fails, try BAR".<br> > <br> > This is really not a recommended configuration, however. It is<br> > difficult to make it work well.<br> > <br> > Perhaps you could say *why* you need this, rather than asking how to<br> > implement a particular solution.<br> > <br> > Alan DeKok.<br> > --<br> > http://deployingradius.com - The web site of the book<br> > http://deployingradius.com/blog/ - The blog<br> > - <br> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br> </font></tt> --=_alternative 002C906AC125724A_=-- --===============0060564716== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --===============0060564716==-- 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 08:11 PM.
