Multiple Windows Domains
Adam.Bishop at jisc.ac.uk
Thu Oct 26 18:02:32 CEST 2017
On 26 Oct 2017, at 14:51, Brian Smith - IN2IT <bsmith at in2it.co.za> wrote:
> Has anyone done anything like this using FreeRadius?
Most of the problems aren't FreeRADIUS problems - FreeRADIUS can certainly do what you've described, but it is dependant on you being able to supply it useful information:
* Identifying users - how do you tell Company A's users from Company B's users? Do they have different @realms? Different DOMAIN\ ?
* The above will influence your backend - if you use Samba (for machine authentication), getting it to authenticate multiple domains is hard/impossible, so you'd likely need at least 1 server per domain, fronted by additional RADIUS servers to route the requests. If you use LDAP directly you could use a single instance, but integrating with AD using raw LDAP has some challenges. You could also try adding a 6th domain with trusts to each of the 5 domains. EAP type used has a large impact here - if you use EAP-TLS with user certificates, you may not even need to communicate with the domains.
* What policy do you need to implement? Should Company A be able to log on from access points at company B? Do you need to classify users into groups?
* How will the addresses be assigned? Using RADIUS, or dynamic VLAN assignment and DHCP?
It's likely that unless your environment does something very specialised or non-standard, you can make everything work, but you need to provide more information before anyone can tell you what configuration to use.
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users