On Fri, 2019-08-16 at 14:22 +0000, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users wrote:
I'm planning to migrate the AD authentication method we use from WINBIND/NTLM_AUTH to LDAP to be able to control who has access to use devices.
Are you confusing authentication and authorisation? How does changing the auth method alter who can get on?
I'm sensing that the way to do this is to disable the ntlm_auth module, configure the ldap module, enable the ldap module and then modify the site config to use ldap instead of ntlm_auth?
Using LDAP (with AD) for auth will restrict you to using PAP methods only. So basically TTLS/PAP.
Has anyone else done it and have a set of steps to follow that they are willing to share? Just trying to avoid reinventing the wheel.
Sounds like you just need to keep ntlm/winbind auth and add an LDAP lookup to check that the user authenticating is actually allowed on or not. -- Matthew