CiscoAP->Freeradius->AD->ISA(ntlm authentication)

Alan DeKok aland at ox.org
Tue Jan 3 16:40:04 CET 2006


Konne <bridge_stone at gmx.net> wrote:
> Freeradius looks in the ActiveDirectory if the 
> user exists and has the rights to connect to the internet. if the 
> authentication is ok,  the user must surf over a ISA because there is 
> installed websense.

  That's not helpful.  You're saying that even though you know only
authenticated users access your net, you still make them authenticate
again?

>  is it possible to have a transparent authentication 
> through the isa-server. i mean if the client is in the condition that he 
> can send the ntlm authentication, that he doestn't have to authenticate 
> twice times. one time on the chillispot and the second on the isa 
> server. is there any possibilty?

  The only way to do that is if the RADIUS server can tell the isa
that the user is OK, and they don't have to be authenticated.  See the
isa docs for if this is possible, and if possible, how.  Then write a
script on FreeRADIUS to send the information isa needs.

  In general, what you want to do is difficult, because most people
don't do it.  And most people don't do it because authenticating
people twice is pointless/

  Alan DeKok.




More information about the Freeradius-Users mailing list