mschap auth for multiple realms off different domain ctlrs?

Ivan Kalik tnt at kalik.net
Tue Jul 28 10:39:20 CEST 2009


> I have used
>
> ntlm_auth --request-nt-key --username=user --password=xxx
>      --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
>
> ntlm_auth --request-nt-key --username=otheruser --password=xxx
>      --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
>
> and I get the right answers, so looks like the settings in my krb5.conf
> are
> working, but I just can't see how to get freeradius to make the request
> this
> way.
>
> (Yes, I know the correct request will use --challenge= and --nt-response=
> but
> I'm "assuming" if I can get the rest of the request right, it'll "just
> work")

Create two mschap module instances, mschap_co1 with first ntlm_auth line
and mschap_co2 with second one. Then create redundancy inside Auth-Type
MS-CHAP (default server for mschap requests, inner-tunnel for peap):

Auth-Type MS-CHAP {
     if(Realm == "company1.local") {
          mschap_co1
     }
     elsif(Realm == "company2.local") {
          mschap_co2
     }
     else {
          mschap (or reject if you don't want to try users file, sql, ldap
or other accounts)
     }
}

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list