ntlm_auth and AD authentication

[Paul Ryszka]

On Mon, 2009-11-23 at 15:05 -0500, freeradius at corwyn.net wrote:
> At 02:33 PM 11/23/2009, Paul Ryszka wrote:
> >On Mon, 2009-11-23 at 13:35 -0500, freeradius at corwyn.net wrote:
> > > Am I going to have to do something like create different modules
> > > (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
> >
> >You need to create two separate entries in modules having two mschap
> >entries .. sth like :
> >mschap mschap_group1 {
> >         ...
> >         ntlm_auth = "your first ntlm_auth command"
> >}
> >mschap mschap_group2 {
> >         ...
> >         ntlm_auth = "your second ntlm_auth command"
> >}
> >and then have the respective mschaps used in the respective virtual
> >servers for each client.
> 
> I currently have (working)
> exec ntlm_auth {
>                  wait = yes
>                  program = "/usr/bin/ntlm_auth ntlm_auth 
> --request-nt-key --domain=int.invtitle.com 
> --username=%{mschap:User-Name} --password=%{User-Password} 
> --require-membership-of=int.example.com+VPN_Users"
>          }
> 
> so I'm not sure how that relates to mschap groups? I don't currently 
> have a mschap group at all currently in the radiusd.conf file.
> 
> Would I just create
> exec ntlm_auth_2 {
>                  wait = yes
>                  program = "/usr/bin/ntlm_auth ntlm_auth 
> --request-nt-key --domain=int.invtitle.com 
> --username=%{mschap:User-Name} --password=%{User-Password} 
> --require-membership-of=int.example.com+Cisco_Users"
>          }
> 
> And how do I control which group is used for auth from a specific client?
> 
> Rick
no you have to have two different modules 
look how mschap module looks like in the default config (there is a
place for ntlm auth there) and just copy it twice
you can choose the module in authorize section of virtual server
so you have one virtual server with mschap_group1 and the other with
mschap_group2.