Hello, so for the BASIC question! First, is there any docs that explain the concepts of how all the various pieces of FR tie together?
Read the debug - it will tell you what server does when it starts and when it processes the request.
We have various environments that need to authenticate and authorize using FR: VPN connections with something like (if member of "VPNGroup" then permit, else deny); vty login to network gear with (if member of "NetEngGroup" then permit, else deny); and 802.1x with dynamic VLAN assignment. I plan to use ntlm_auth for all of these to hit AD on the backend.
The problem I'm having is grasping how I can do this? Do I need separate instances of FR?
No.
A bunch of "if then/else" clauses somewhere?
Yes, see man unlang. Configure AD in ldap module and use Ldap-Group to test membership.
How does FR know what type of auth is required?
If you configure ntlm_auth statement in mschap module it will use it. Read AD integration guide: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP