On 10/21/2010 10:40 PM, Ramzi Abdallah wrote:
I have configured freeradius version 2.1.9 with mySQL backend and Active Directory integration (NTLM) for the purpose of using it to authenticate users against firewall protected policies.
So far it’s all working. When a user hits a firewall protected policy he is prompted to authenticate after which the radius query the AD for the username and password. If the user credentials are correct access is granted.
What is prompting here? How is the firewall asking the user for a password? Is this web intercept? If so, then the NAS is the firewall, and when a user makes an HTTP request, it is asking for their credentials via some kind of HTTP auth, then sending them to the radius server, yes? Also, FreeRadius can't be "querying AD for the password". The LDAP server embedded into Active Directory will not give up the password. How have you got FreeRadius configured - be precise, or better yet, post the debug output of a successful request.
The bit that I cannot figure out is how to let the Radius use NTLM to check if the user is already logged in the domain controller and if so not to prompt him for his username and password via the firewall captive portal. Is that doable or I missed the idea behind the Active Directory integration?
I'm not sure I really understand what you want, but if I do, it's impossible. If you can give more details about your setup I can answer further, but basically the firewall is doing the prompting - the firewall would have to implement NTLM auth, not FreeRadius.