ldap and ad for 802.1x

Ivan Kalik tnt at kalik.net
Thu Jul 2 00:56:41 CEST 2009


>> I'm trying to figure out the necessary steps and configs to make the
>> following happen. 2 groups of users, one residing in ldap with
>> samba/ntlm hashes and another in AD, need to authenticate through Radius
>> servers for 802.1x wireless.  At this point, I have the Radius server
>> successfully authenticating the users in LDAP, using their Samba
>> credentials, but it's a different story with AD. I joined Samba from the
>> Radius box into the AD domain and I'm able to test authentication
>> successfully with ntlm_auth command, however authentication against
>> Radius doesn't seem to be working.  The debug output shows that any AD
>> auth. attempt is going against LDAP instead.
>> I'm doing it on the same box, same shared Radius config, which is
>> probably related to the issue and I think that I need some way to
>> enforce separation between LDAP and AD, however my next steps are not at
>> clear.  I would appreciate any guidance or advise on this.
>>
>> Thank you very much in advance.
>>
>> The AD-Radius guide I used came from this URL and I simply added the
>> described config to the working LDAP config.
>>
>> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>
> You need to create authentication fail-over. If you are sending pap
> requests, replace pap in Auth-Type PAP with:
>
> redundant {
>      pap
>      ntlm_auth
> }
>
> For mschap requests, create two mschap module instances - one as default
> and one with ntlm_auth line enabled. Then replace mschap in Auth-Type
> MS-CHAP with:
>
> redundant {
>      mschap_default
>      mschap_ad
> }
>
> Ivan Kalik
> Kalik Informatika ISP
>





More information about the Freeradius-Users mailing list