So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication.
Thanks,
If the packet is merely containing plaintext username and password, then you can probably just use rlm_ldap against AD and hit it directly. Just need to setup a user with read access to the directory to do the initial bind with and search of the user for authorization. Then the user will be authenticated by doing a bind against AD with the username/password in the packet. BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, although its openldap instead of AD. To pass back the class attribute, you must modify ldap.attrmap and specify the reply item of Class to match what you call it in the directory. eg: replyItem Class radiusClass Then in the directory, you have dn: cn=someuser,... ... radiusClass: "OU=myvpngroup;" So, for AD, you'll need to extend the schema and add an attribute for this. Or if you already have something that you can use, just modify ldap.attrmap to know what it is. -Dusty Doris