FreeRADIUS, 802.1x, and multiple user stores

Alan DeKok aland at deployingradius.com
Thu Aug 2 00:30:05 CEST 2012


Jonathan L Ocab wrote:
> I believe you shed light onto the AD situation, but one item of note is that my campus' primary user store is OpenLDAP and is what is used by our production FreeRADIUS services.

  Authenticating *only* to OpenLDAP is easy, and it works.

> What I need to do is so our primary AD forest's domain controllers can be used. An Active Directory domain authenticated host/workstation would need to use AD for the user store and anything else would go against OpenLDAP.

  I don't know what that means.  You're using AD to store user
information, and LDAP for "everything else".  What is "everything else"?
 Why would it matter to RADIUS?

> But we also have the issue where there are separate AD forests in our campus environment.

  If they're completely separate, your best bet is to run one VM per AD
forest.  Have the VM run FreeRADIUS + Samba.  Configure a central
FreeRADIUS proxy to send packets to the appropriate VM.

> I will do some testing in my development environment to leverage ntlm_auth against our main campus AD store.

  That's the best way.  If it works for ntlm_auth, FreeRADIUS can just
leverage that.

  Alan DeKok.


More information about the Freeradius-Users mailing list