Freeradius With edirectory and Active directory

jaswinder kaur saini_jas16 at yahoo.co.in
Thu Jul 23 17:57:33 CEST 2009


Hello Ivan,

Yes, It is a Upcoming project. I would appreciate
whatever help I get from you or any reference to where I can get more
information from.
We have our users on the aaaa.example.com domain
and are in edirectory environment. But our users are going to share a
big part of the building with another company who are a totally
different domain controlled by active directory. Our management wants
us to create a radius infrastructure so that a user irrespective of
their company, plug their laptop in a available socket, and gets put
into the right domain and all the other network services based on their
login credentials. 

Many Thanks,
Jas


Message: 4
Date: Thu, 23 Jul 2009 10:14:59 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: Freeradius With edirectory and Active directory
To: "FreeRadius users mailing list"
    <freeradius-users at lists.freeradius.org>
Message-ID:
    <53179.194.176.105.44.1248340499.squirrel at webmail.kalik.net" href="http://in.mc89.mail.yahoo.com/mc/compose?to=53179.194.176.105.44.1248340499.squirrel@webmail.kalik.net">53179.194.176.105.44.1248340499.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> Is it possible to have freeradius integrated in a environment with two
> totally different domains, one controlled by edirectory and the other by
> active directory?

Yes. You will need to
 create two mschap instances (one with ntlm_auth and
one without) and failover in Auth-Type MS-CHAP.

Auth-Type MS-CHAP {
     mschap_default {
          reject = 2
     }
     if(reject) {
          mschap_ad
     }
}

Where mschap_default is a copy of default mschap module while mschap_ad
has ntlm_auth line enabled. This applies to AD + anything else (ldap, sql,
users file stored passwords). If you are going to have pap requests as
well you should add failover to ntlm_auth after pap:

if(!Auth-Type) {
     update control {
          ntlm_auth
     }
}

Is there interest for this? I can write a guide how to combine
authentication of AD stored accounts with those stored elsewhere
 (ldap,
sql, users file).

Ivan Kalik
Kalik Informatika ISP



      Looking for local information? Find it on Yahoo! Local http://in.local.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090723/e2df866b/attachment.html>


More information about the Freeradius-Users mailing list