FreeRadius + AD + Realms

Matthew P mayday64 at
Sat Jul 3 01:58:08 CEST 2010

>> realm {
>>     auth_pool = active_directory
>  You'll need a line:
>	nostrip
>  To avoid EAP identity issues.
This worked, thanks. Preprocess doesn't strip the username in the default server and EAP works.
Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess.
So the username stays in the form - "user at", but that isn't usable for a LDAP search (on the AD).

(btw. if I test without the realm portion of the scenario, like AD is the only source of authentication, it works)

>  i.e. it doesn't proxy it.
>  This *does* work in 2.1.9.  So which version are you running?
I'm sorry, it was my mistake. I configured proxy_requests = no, because I thought it was ment for a server when it was only proxying requests from other sources (since this option opens a special proxy-ing listening port).
Fixed now, proxying to virtual server works.

> And why are you creating this complicated configuration?  The
> "inner-tunnel" virtual server is set up *precisely* for this kind of
> authentication.  You do EAP in the "default" server.  Then, the
> "inner-tunnel" server gets the PAP password, and you can configure it to
> look the user up in AD there.
Because there are realms involved in the scenario.
If the realm is "" then radius needs to lookup a user in AD.
If the realm is "" then it needs to consult sql.
Otherwise it should proxy the request to a home server.

What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go?

Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.

More information about the Freeradius-Users mailing list