Re: FreeRadius + AD + Realms
realm mydomain.com { auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues. This worked, thanks. Preprocess doesn't strip the username in the default server and EAP works. Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - "user@mydomain.com", but that isn't usable for a LDAP search (on the AD).
(btw. if I test without the realm portion of the scenario, like AD is the only source of authentication, it works)
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running? I'm sorry, it was my mistake. I configured proxy_requests = no, because I thought it was ment for a server when it was only proxying requests from other sources (since this option opens a special proxy-ing listening port). Fixed now, proxying to virtual server works.
And why are you creating this complicated configuration? The "inner-tunnel" virtual server is set up *precisely* for this kind of authentication. You do EAP in the "default" server. Then, the "inner-tunnel" server gets the PAP password, and you can configure it to look the user up in AD there. Because there are realms involved in the scenario. If the realm is "mydomain.com" then radius needs to lookup a user in AD. If the realm is "mydomain2.com" then it needs to consult sql. Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go? TIA! _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
Matthew P wrote:
Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - "user@mydomain.com", but that isn't usable for a LDAP search (on the AD).
So... decode the user-name using a regex. You can then use that in the LDAP configuration. The LDAP user search is configurable for a *reason*.
Because there are realms involved in the scenario. If the realm is "mydomain.com" then radius needs to lookup a user in AD. If the realm is "mydomain2.com" then it needs to consult sql. Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go?
It's an option, but not the only way to do it. if (User-Name =~ /@mydomain.com/) { ldap } elsif (User-Name =~ /@mydomain2.com) { sql } else { update control { Proxy-To-Realm := "other" } } Alan DeKok.
participants (2)
-
Alan DeKok -
Matthew P