Got the whole setup working. So basically if users sign on with username@foo.edu with eap, they will be sent to ldap w/ ntpassword authorization. If users sign on with username only with eap, they will be sent to active directory w/ ntlm authentication. configuration changes are the following: etc/raddb/proxy.conf add realm foo.edu { } realm NULL { } /etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add switch "%{Realm}" { case foo.edu { ldap #see /etc/raddb/module/mschap if ntpassword available, then do not use #NTLM_auth update control { MS-CHAP-Use-NTLM-Auth := NO } case NULL { mschap } } etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate with Active Directory howto. Thanks for the great software, and can not wait to see the finish of the book. There are so many internals to be understood. Schilling On Wed, Dec 8, 2010 at 2:12 AM, Alan DeKok <aland@deployingradius.com> wrote:
schilling wrote:
Just to be sure. Both user(username and username@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/?
So... configure another mschap module.
See raddb/modules/files for examples of configuring two instances of the same module.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html