Re: ntlm_auth child domain
I'd say use ntlm_auth with 2 instances of MSCHAP module - using unlang and fail-through mechanism...so if MSCHAP instance 1 fails then it tries instance 2 We used this mechanism when migrating from one AD to another alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart.
Ok, Do you have a handy guide or documentation for that, I’m pretty newb with freeradius. Thank you I'd say use ntlm_auth with 2 instances of MSCHAP module - using unlang and fail-through mechanism...so if MSCHAP instance 1 fails then it tries instance 2 We used this mechanism when migrating from one AD to another alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. ---------------------------------------------------------------------------------------------------------- Ce courriel a �t� filtr� par ModusGate et Webshield afin de le certifier comme l�gitime et exempt de virus.
Hi,
Do you have a handy guide or documentation for that, I’m pretty newb with freeradius.
man unlang http://wiki.freeradius.org/config/Fail-over alan
Hi, Just to update I was able to do what I intended to : Here what I did, In the authenticate of inner-tunnel and default I added this: Auth-Type MS-CHAP { group { mschap { reject = 1 ok = return } mschap_tata { reject = 1 ok = return } mschap_toto { ok = return } } } And in mschap module I added: Mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-%{Realm}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" } mschap mschap_tata { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-tata} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } mschap mschap_toto { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-toto} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Also added in proxy.conf Realm tata { } Realm toto { } With this I was able to do what I wanted, I am able to permit users from both domain whether they write their user like tata\username, toto\username or just username I was also able to to peap authentification by just using the documentation, Now I’m looking at LDAP to check the group membership of user and only permit certain group and /or send attribute to those group. Thank you Yannick Ménard ---------------------------------------------------------------------------------------------------------- Ce courriel a �t� filtr� par ModusGate et Webshield afin de le certifier comme l�gitime et exempt de virus.
participants (3)
-
Alan Buxey -
alan buxey -
Menard, Yannick