ntlm_auth and AD authentication

freeradius at corwyn.net freeradius at corwyn.net
Mon Nov 23 21:05:18 CET 2009


At 02:33 PM 11/23/2009, Paul Ryszka wrote:
>On Mon, 2009-11-23 at 13:35 -0500, freeradius at corwyn.net wrote:
> > Am I going to have to do something like create different modules
> > (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
>
>You need to create two separate entries in modules having two mschap
>entries .. sth like :
>mschap mschap_group1 {
>         ...
>         ntlm_auth = "your first ntlm_auth command"
>}
>mschap mschap_group2 {
>         ...
>         ntlm_auth = "your second ntlm_auth command"
>}
>and then have the respective mschaps used in the respective virtual
>servers for each client.

I currently have (working)
exec ntlm_auth {
                 wait = yes
                 program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.invtitle.com 
--username=%{mschap:User-Name} --password=%{User-Password} 
--require-membership-of=int.example.com+VPN_Users"
         }

so I'm not sure how that relates to mschap groups? I don't currently 
have a mschap group at all currently in the radiusd.conf file.

Would I just create
exec ntlm_auth_2 {
                 wait = yes
                 program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.invtitle.com 
--username=%{mschap:User-Name} --password=%{User-Password} 
--require-membership-of=int.example.com+Cisco_Users"
         }

And how do I control which group is used for auth from a specific client?

Rick





More information about the Freeradius-Users mailing list