AD Auth Question

Martin, Jeremy jmartin at emcc.edu
Sat Dec 30 20:43:13 CET 2017


Thanks for the feedback, makes sense.  I will just need to mutate the username from “host/machine.domain.com” to “machine$” which I can handle. 

To attempt to answer your question as I understand it: rrght now this is proxied from NPS to freeradius as the NPS server existed before freeradius and only implemented freeradius when the MD5 requirement came along as it was removed from NPS some time ago and reimplementing it did make it work “sometimes” other times it would just fail so rather than spend time on a removed and unsupported feature we decided to move all the mac and MD5 dot1x authentication to a freeradius server.  Now I would like to get down to just the single radius server gain now that it has been proven in production it is time to scale out for resilancy but would like to finish the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where a machine is authenticated once it is joined to the domain.  

> On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> 
> fairly easily done - and quite common -  had different requirements
> when, for example, we migrated from one domain to another.
> 
> you dont want the exec ntlm_auth thing - thats a diversion, you just
> use the mschap module (and configure the ntlm line in that- you want
> to use unlang
> and then in the authorise section of the inner-tunnel, call different
> mschap modules eg
> 
> pseudo-code: (untested, quickly typed)
> 
> if (%{User-Name} ~= "@domain.com$"){
> mschap-one
> }
> if (%{User-Name} ~= "@other.domain.com$"){
> mschap-two
> }
> 
> 
> but right now you just send (proxy) all this to NPS?  your aim is to
> move the authentication to the FR system?
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list