Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use bob@acme.edu instead bob@abc.acme.edu as username. My question is can you modify the realm behind the user's back? (during EAP process). Kevin
On 13/10/2011 21:16, Kevin Chan wrote:
Hi all,
hopefully i got to the right group of people.
We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use bob@acme.edu instead bob@abc.acme.edu as username.
Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms).
My question is can you modify the realm behind the user's back? (during EAP process).
I think this may mess things up... but you shouldn't need to *modify* the realm? [More info about your specifics please]? The realm on the outer ID will get the auth to your FR (anything@uni.edu). The realm [if present] on the inner ID is generally stripped before it goes to ntlm_auth against your AD). Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk --
On 13/10/2011 21:35, James J J Hooper wrote:
On 13/10/2011 21:16, Kevin Chan wrote:
Hi all,
hopefully i got to the right group of people.
We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use bob@acme.edu instead bob@abc.acme.edu as username.
Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms).
I re-read http://www.eduroamus.org/node/29 ... It says that *you* shouldn't forward subdomains of your own realm to the national proxies, which would be filtered. This indeed makes sense for loop protection. ...and it implies "only usernames of the form user@institution.edu" should be accepted, but it doesn't actually state that you can't use subdomains. I suppose it depends on how the "routing" on the US level eduroam proxies is set-up: if (Realm =~ /^(.+\.)?\.uni\.edu$/) { } or if (Realm =~ /^uni\.edu$/) { } -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk --
Hi,
We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use bob@acme.edu instead bob@abc.acme.edu as username.
you shouldnt send your own sub domains up to the national level - hopefully they have picked up on issues that older eduroam federations have had in the past....it can be the cause of loops... hopefully the national level has loop detection mechanisms for if an end site does something silly. it would be shame if they are stopping you from using sub-realms...its quite common elsewhere... but anyway, you shouldnt need to worry, the outerid is just like the address on an envelope....to get the RADIUS request back to YOUR RADIUS servers. once it gets there, the EAP tunnel is created and the innerID is exposed..and that can be whatever you want - with realm or without realm. you can also adjust the ntlm_auth command to send whatever realm you want locally to the AD of course, could have issues with older clients where you cannot adjust outerID
My question is can you modify the realm behind the user's back? (during EAP process).
the username does not need to be used as-is..generally you could (and many do!) use the Stripped-User-Name in the ntlm_auth stage alan
participants (3)
-
Alan Buxey -
James J J Hooper -
Kevin Chan