LDAP and AD authentication on the same FreeRadius server
Hi, I am trying to set up a FreeRadius server for a VPN connection used by users stored in an LDAP or in an AD. I succeeded to authenticate on LDAP and on AD separately with the two following radtest commands : LDAP : radtest dclavier "password" localhost 0 testing123 AD : radtest -t mschap dclavier "Password1234*" localhost 0 testing123 However, I would like to configure the FreeRadius server to authenticate users on LDAP or AD, based on the realm. For example, user dclavier@ldap.com should use ldap authentication, and dclavier@ad.com should use mschap authentication (or ntlm_auth) without specifying which method to use. So, I would like FreeRadius to choose the right Auth-Type according to the realm. At least, I would like FreeRadius to try the second auth-type if the first failed. I looked at the proxy.conf file to perform what I want, but I can't find how to specify the auth type for each realm. So I would like to know if it is possible to perform authentication for users from LDAP and users from AD with only one FreeRadius server. If yes, I would be happy if you can suggest how to do it. Regards, Denis CLAVIER
On Jul 23, 2018, at 5:26 AM, Denis CLAVIER via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to set up a FreeRadius server for a VPN connection used by users stored in an LDAP or in an AD. I succeeded to authenticate on LDAP and on AD separately with the two following radtest commands :
LDAP : radtest dclavier "password" localhost 0 testing123 AD : radtest -t mschap dclavier "Password1234*" localhost 0 testing123
However, I would like to configure the FreeRadius server to authenticate users on LDAP or AD, based on the realm. For example, user dclavier@ldap.com should use ldap authentication, and dclavier@ad.com should use mschap authentication (or ntlm_auth) without specifying which method to use. So, I would like FreeRadius to choose the right Auth-Type according to the realm. At least, I would like FreeRadius to try the second auth-type if the first failed.
It's better to do it right the first time. Getting it wrong and doing something else is bad.
I looked at the proxy.conf file to perform what I want, but I can't find how to specify the auth type for each realm.
You have to put that together yourself. FreeRADIUS gives you the tools to solve problems. It doesn't give you every solution to every possible problem that everyone can have.
So I would like to know if it is possible to perform authentication for users from LDAP and users from AD with only one FreeRadius server. If yes, I would be happy if you can suggest how to do it.
Configure the two realms: ldap.com { } ad.com{ } This tells the server that the realms exist, but that they shouldn't be proxied anywhere. The documentation in "proxy.conf" should give you more guidance here. Then, in the "authorize" section, after the "suffix" module, do: if (Realm == "ldap.com") { update control { Auth-Type := "ldap" } } elsif (Realm == "ad.com") { update control { Auth-Type := "ad" } } Alan DeKok.
Hi Alan, Thank you for your quick answer. Your solution is exactly what I wanted to do. I tried it and it works well. I knew that proxy.conf could redirect on the local server but I did not know the syntax to retrieve the domain and update the Auth-Type. Thanks again :) Regards, Denis CLAVIER ----- Mail original ----- De: "Alan DeKok" <aland@deployingradius.com> À: "freeradius-users" <freeradius-users@lists.freeradius.org> Envoyé: Lundi 23 Juillet 2018 15:06:11 Objet: Re: LDAP and AD authentication on the same FreeRadius server On Jul 23, 2018, at 5:26 AM, Denis CLAVIER via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to set up a FreeRadius server for a VPN connection used by users stored in an LDAP or in an AD. I succeeded to authenticate on LDAP and on AD separately with the two following radtest commands :
LDAP : radtest dclavier "password" localhost 0 testing123 AD : radtest -t mschap dclavier "Password1234*" localhost 0 testing123
However, I would like to configure the FreeRadius server to authenticate users on LDAP or AD, based on the realm. For example, user dclavier@ldap.com should use ldap authentication, and dclavier@ad.com should use mschap authentication (or ntlm_auth) without specifying which method to use. So, I would like FreeRadius to choose the right Auth-Type according to the realm. At least, I would like FreeRadius to try the second auth-type if the first failed.
It's better to do it right the first time. Getting it wrong and doing something else is bad.
I looked at the proxy.conf file to perform what I want, but I can't find how to specify the auth type for each realm.
You have to put that together yourself. FreeRADIUS gives you the tools to solve problems. It doesn't give you every solution to every possible problem that everyone can have.
So I would like to know if it is possible to perform authentication for users from LDAP and users from AD with only one FreeRadius server. If yes, I would be happy if you can suggest how to do it.
Configure the two realms: ldap.com { } ad.com{ } This tells the server that the realms exist, but that they shouldn't be proxied anywhere. The documentation in "proxy.conf" should give you more guidance here. Then, in the "authorize" section, after the "suffix" module, do: if (Realm == "ldap.com") { update control { Auth-Type := "ldap" } } elsif (Realm == "ad.com") { update control { Auth-Type := "ad" } } Alan DeKok. - List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_...
participants (2)
-
Alan DeKok -
Denis CLAVIER