Hi Alan, Thanks for the hint. Just to be sure. Both user(username and username@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/? Regards, Schilling On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok <aland@deployingradius.com> wrote:
schilling wrote:
We got ntlm_auth against AD working for PEAP, we also got separate server for PEAP against ldap ntPassword hash.
... Is there any way to have a virtual server(1812/1813) for mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for mschapv2-ldap ntPassword hash?
Yes. But I don't think that's necessary.
Here is our situation: We have faculty/staff in active directory.So we are using ntlm_auth against AD for their network authentication. Faculty/staff will sign on with username, it will get directed to ntpm_auth against AD. We have student in ldap with ntPassword but not in AD. So we would like to have student sign on with username@foo.edu, so we can manipulate the radius configuration to direct username@foo.edu to use ldap ntPassword authentication.
Is there anyway using freeradius to accomplish this?
Yes. And you don't need two virtual servers.
1) edit the "authorize" section to do... 2) if people log in with "user@foo.edu", run "ldap" 3) else force "ntlm_auth"
You might have to declare a "foo.edu" realm, but that shouldn't be an issue. The config should really be about 10 lines changed from the default.
Develop this by:
1) adding realm "foo.edu" 2) enabling ldap 3) checking authentication
4) adding "if not realm foo.edu" 5) do ntlm_auth, as per the docs, wiki, etc.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html