mschap auth for multiple realms off different domain ctlrs?
Ivan Kalik
tnt at kalik.net
Tue Jul 28 10:39:20 CEST 2009
> I have used
>
> ntlm_auth --request-nt-key --username=user --password=xxx
> --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
>
> ntlm_auth --request-nt-key --username=otheruser --password=xxx
> --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
>
> and I get the right answers, so looks like the settings in my krb5.conf
> are
> working, but I just can't see how to get freeradius to make the request
> this
> way.
>
> (Yes, I know the correct request will use --challenge= and --nt-response=
> but
> I'm "assuming" if I can get the rest of the request right, it'll "just
> work")
Create two mschap module instances, mschap_co1 with first ntlm_auth line
and mschap_co2 with second one. Then create redundancy inside Auth-Type
MS-CHAP (default server for mschap requests, inner-tunnel for peap):
Auth-Type MS-CHAP {
if(Realm == "company1.local") {
mschap_co1
}
elsif(Realm == "company2.local") {
mschap_co2
}
else {
mschap (or reject if you don't want to try users file, sql, ldap
or other accounts)
}
}
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list