ntlm_auth and AD authentication

Garber, Neal Neal.Garber at energyeast.com
Mon Nov 23 21:09:49 CET 2009


> Hmm. I have two sets of authentication I care about, VPN Users, and 
> Cisco switches. I'd like to be able to control access to each of 
> those separately (different AD Security Groups, and different shared 
> keys).

I'm not sure what you mean by "different shared keys" - can you clarify?  Also, perhaps I do not understand your requirement; but, I think you mean authorization, not authentication above.  Authentication is validation of a user/password combination.  Authorization is checking to determine what type of access (if any) a user should have to a device.  

If I haven't misunderstood what you're trying to do, then I would determine the type of access the user has in the authorization section.  Personally, I use a perl module for authorization because we have many different types of devices/groups, including controlling access to several wireless networks.  The perl module obtains the user's groups from LDAP (including their default group which isn't in the memberOf attribute) and uses a hash that specifies user/group/machine/container to nas mappings and optionally allows returning custom vsa's.  This may be overkill for you, I'm not sure..

You could define multiple mschap modules (that's where ntlm_auth is defined) and use unlang to call the appropriate module.  But, this would quickly become unmanageable if you have many different groups you want to test during authorization.  If all you will ever have is two groups, then I suppose it wouldn't be an issue.




More information about the Freeradius-Users mailing list