ntlm_auth and AD authentication
Paul Ryszka
paul at webangel.ie
Mon Nov 23 20:33:53 CET 2009
On Mon, 2009-11-23 at 13:35 -0500, freeradius at corwyn.net wrote:
> At 10:24 AM 11/23/2009, freeradius at corwyn.net wrote:
> >to confirm, and it looks like it's working.
>
> Hmm. I have two sets of authentication I care about, VPN Users, and
> Cisco switches. I'd like to be able to control access to each of
> those separately (different AD Security Groups, and different shared keys).
>
> I've found instructions for restricting ntlm_auth to a particular
> security group, but adding --require-membership-of={SID|Name} to the
> ntlm_auth command.
>
> But I can't puzzle out how I'd then have one set of authentication
> for one security group, and one set of authentication for a second
> security group. (currently any AD users works).
>
> Am I going to have to do something like create different modules
> (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
>
> Rick
You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = "your first ntlm_auth command"
}
mschap mschap_group2 {
...
ntlm_auth = "your second ntlm_auth command"
}
and then have the respective mschaps used in the respective virtual
servers for each client.
More information about the Freeradius-Users
mailing list