RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication. Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alhagie Puye Sent: November 24, 2005 3:04 PM To: FreeRadius users mailing list Subject: RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: November 24, 2005 2:36 PM To: FreeRadius users mailing list Subject: Re: Freeradius How to integrate Active Directory [ADIntegrationWindowsXP NTLM Tutorial]
"Alhagie Puye" <APuye@datawave.com> wrote:
SSL-VPN client -> Cisco VPN Concentrator -> FreeRadius -> W2K Active Directory
What is in the RADIUS packet from the VPN concentrator? EAP? User-Password? You need to know this. Username and Password
I think I should be using ntlm_auth. Or should I be using the LDAP module?
It depends on what's in the RADIUS packet.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication.
Thanks,
If the packet is merely containing plaintext username and password, then you can probably just use rlm_ldap against AD and hit it directly. Just need to setup a user with read access to the directory to do the initial bind with and search of the user for authorization. Then the user will be authenticated by doing a bind against AD with the username/password in the packet. BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, although its openldap instead of AD. To pass back the class attribute, you must modify ldap.attrmap and specify the reply item of Class to match what you call it in the directory. eg: replyItem Class radiusClass Then in the directory, you have dn: cn=someuser,... ... radiusClass: "OU=myvpngroup;" So, for AD, you'll need to extend the schema and add an attribute for this. Or if you already have something that you can use, just modify ldap.attrmap to know what it is. -Dusty Doris
participants (2)
-
Alhagie Puye -
Dusty Doris