ntlm_auth and AD authentication

Mon Nov 23 20:39:07 CET 2009

I'm sorta struggling with the same thing, a la a single "NAS" (Cisco
switch) requiring multiple auth types: 1,) VTY / enable access from
NetEng group (in AD), 2.) 8021.x auth for everyone!  Similar with VPN
appliance, VTY's AND IPSec auths.  The request type will differ for each
type of requests, so it's "simply" a matter of uniquely identifying each
type of request and performing the conditional processing.  Easy right?
:)

I shared some emails with Ivan on this issue and got close, but then got
involved in other things so never got fully resolved.  Seems there are
several ways to do it, but I THINK the common thread is to use unlang
and / or hints to set the auth_type as required and/or direct the
requests to a virtual server that does what you need.

If / when I get this worked out I intend to publish a "How To", but if
you beat me to it please share!  I've spent MANY MANY hours on it thus
far and now I've forgotten much of it!

Gary

-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.or
g] On Behalf Of freeradius at corwyn.net
Sent: Monday, November 23, 2009 12:35 PM
To: FreeRadius users mailing list; freeradius-users at lists.freeradius.org
Subject: Re: ntlm_auth and AD authentication

At 10:24 AM 11/23/2009, freeradius at corwyn.net wrote:
>to confirm, and it looks like it's working.

Hmm. I have two sets of authentication I care about, VPN Users, and 
Cisco switches. I'd like to be able to control access to each of 
those separately (different AD Security Groups, and different shared
keys).

I've found instructions for restricting ntlm_auth to a particular 
security group, but adding --require-membership-of={SID|Name}  to the 
ntlm_auth command.

But I can't puzzle out how I'd then have one set of authentication 
for one security group, and one set of authentication for a second 
security group. (currently any AD users works).

Am I going to have to do something like create different modules 
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?

Rick

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>