mschap auth for multiple realms off different domain ctlrs?

Ross Wheeler freeradius.contact at albury.net.au
Tue Jul 28 06:57:28 CEST 2009 

I've inherited a system which now needs changed and I can't seem to make it do 
it! I'm sure it can, but I'm just not familiar enough with FreeRadius to know 
how to coax it into doing what I need.

Its a fairly old system, FreeRADIUS Version 1.1.3

Remote users connect to the host using windows VPN client, hence MS-CHAPv2, 
call terminates on mpd running on freebsd which auths from using freeradius on 
the same host. That all works.

Problem is, the client has been like the borg and assimilated another company 
and needs to support their roaming users too.

so now users log in as     user    and the request is done via ntlm request to 
their primary domain controller 10.1.1.1 in realm company1.local
This is configured in krb5.conf as far as I can determine.

FreeRadius also looks for a specific group membership with 
"--require-membership-of=company1-vpn-users"


I now need to support (additionally) another set of users logging in as
     otheruser  who will need to specify their realm as company2

I can get freeradius to "see"  otheruser at company2.local   and it splits the 
username and realm out (as seen with radiusd -X) but what I can't figure out is 
how to tell it to still use the "local" auth but to know that it now has to use 
"company2.local" for its realm, to ask 10.1.1.3 instead of 10.1.1.1, and to 
look for group membership of "company2-vpn-users".

I thought I could perhaps use a variable and set that within a specific realm{} 
definition during auth, but I can't see how to define/use variables other than 
attributes offered or returned.

I have used

ntlm_auth --request-nt-key --username=user --password=xxx
     --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS

ntlm_auth --request-nt-key --username=otheruser --password=xxx
     --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS

and I get the right answers, so looks like the settings in my krb5.conf are 
working, but I just can't see how to get freeradius to make the request this 
way.

(Yes, I know the correct request will use --challenge= and --nt-response= but 
I'm "assuming" if I can get the rest of the request right, it'll "just work")

Any help please? I've googled and tried more things than I can document here 
without driving you nuts!

RossW

More information about the Freeradius-Users mailing list