FreeRadius + AD + Realms
Alan DeKok
aland at deployingradius.com
Wed Jun 30 09:59:08 CEST 2010
Matthew P wrote:
> I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
> Goal: Make FreeRadius look-up a user in ActiveDirectory if he has "mydomain.com" domain.
> Used method: EAP/TTLS (PAP in the tunnel)
>
> This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :)
> (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server)
If you read the start of the debug output, it *should* show it loading
the "local_ad" virtual server. The output below shows it not *proxying*
the request to the "local_ad" virtual server.
> realm mydomain.com {
> auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
...
> rlm_realm: Preparing to proxy authentication request to realm "mydomain.com"
> ++[suffix] returns updated
> rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP.
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> There was no response configured: rejecting request 0
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
And why are you creating this complicated configuration? The
"inner-tunnel" virtual server is set up *precisely* for this kind of
authentication. You do EAP in the "default" server. Then, the
"inner-tunnel" server gets the PAP password, and you can configure it to
look the user up in AD there.
In fact, you should only need to do the following:
* start with the default config
* uncomment "ldap" everywhere in raddb/sites-enabled/inner-tunnel
* configure raddb/modules/ldap to point to AD
* ensure you have the correct certificates for TTLS
* TTLS + PAP *should* work
The default configuration is designed to work in the widest possible
set of circumstances, with a minimal set of changes required to add any
common functionality.
Alan DeKok.
More information about the Freeradius-Users
mailing list