Jonathan L Ocab wrote:
I believe you shed light onto the AD situation, but one item of note is that my campus' primary user store is OpenLDAP and is what is used by our production FreeRADIUS services.
Authenticating *only* to OpenLDAP is easy, and it works.
What I need to do is so our primary AD forest's domain controllers can be used. An Active Directory domain authenticated host/workstation would need to use AD for the user store and anything else would go against OpenLDAP.
I don't know what that means. You're using AD to store user information, and LDAP for "everything else". What is "everything else"? Why would it matter to RADIUS?
But we also have the issue where there are separate AD forests in our campus environment.
If they're completely separate, your best bet is to run one VM per AD forest. Have the VM run FreeRADIUS + Samba. Configure a central FreeRADIUS proxy to send packets to the appropriate VM.
I will do some testing in my development environment to leverage ntlm_auth against our main campus AD store.
That's the best way. If it works for ntlm_auth, FreeRADIUS can just leverage that. Alan DeKok.