Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has "mydomain.com" domain. Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server)
If you read the start of the debug output, it *should* show it loading the "local_ad" virtual server. The output below shows it not *proxying* the request to the "local_ad" virtual server.
realm mydomain.com { auth_pool = active_directory
You'll need a line: nostrip To avoid EAP identity issues. ...
rlm_realm: Preparing to proxy authentication request to realm "mydomain.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0
i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The "inner-tunnel" virtual server is set up *precisely* for this kind of authentication. You do EAP in the "default" server. Then, the "inner-tunnel" server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment "ldap" everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok.