One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?

Tue Dec 7 22:42:21 CET 2010

Hi Alan,

Thanks for the hint.

Just to be sure. Both user(username and username at foo.edu) will use
eap, mschapv2 to authenticate. But there is only one mschap module in
etc/raddb/modules/?

Regards,

Schilling

On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok <aland at deployingradius.com> wrote:
> schilling wrote:
>> We got ntlm_auth against AD working for PEAP, we also got separate
>> server for PEAP against ldap ntPassword hash.
>>
>> ...
>> Is there any way to have a virtual server(1812/1813) for
>> mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for
>> mschapv2-ldap ntPassword hash?
>
>  Yes.  But I don't think that's necessary.
>
>> Here is our situation:
>> We have faculty/staff in active directory.So we are using ntlm_auth
>> against AD for their network authentication. Faculty/staff will sign
>> on with username, it will get directed to ntpm_auth against AD.
>> We have student in ldap with ntPassword but not in AD. So we would
>> like to have student sign on with username at foo.edu, so we can
>> manipulate the radius configuration to direct username at foo.edu to use
>> ldap ntPassword authentication.
>>
>> Is there anyway using freeradius to accomplish this?
>
>  Yes.  And you don't need two virtual servers.
>
> 1) edit the "authorize" section to do...
> 2) if people log in with "user at foo.edu", run "ldap"
> 3)    else force "ntlm_auth"
>
>  You might have to declare a "foo.edu" realm, but that shouldn't be an
> issue.  The config should really be about 10 lines changed from the default.
>
>  Develop this by:
>
> 1) adding realm "foo.edu"
> 2) enabling ldap
> 3) checking authentication
>
> 4) adding "if not realm foo.edu"
> 5) do ntlm_auth, as per the docs, wiki, etc.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>