PEAP and multiple domains
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 16 17:34:57 CEST 2012
On 16/07/12 16:12, David Aldwinckle wrote:
> Hello,
>
> I currently use PEAP and the mschap module to call ntlm_auth and authenticate against Active Directory. The FreeRadius server is currently joined to domain1.
>
> It may come about in the near future that I need to query two different domains before failing a request. Unlang says I can do this:
>
> redundant {
> mschap.domain1
> mschap.domain2
> }
>
> Where mschap.domain{1,2} are copies of the stock mschap module, with the new domain plugged in.
>
> Will this work?
No. As has been explained, you need a domain trust to do this.
There are other ways to do it (2 copies of samba, different smb.conf
files, join each copy to each domain, use logic to pick the correct
mschap module) but they are messy and error prone.
More information about the Freeradius-Users
mailing list