One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?

schilling schilling2006 at gmail.com
Tue Dec 7 20:08:38 CET 2010


We got ntlm_auth against AD working for PEAP, we also got separate
server for PEAP against ldap ntPassword hash.

in latest etc/raddb/modules/mschap
       # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
        # directive tells the module to call the ntlm_auth
        # program, which will do the authentication, and return
        # the NT-Key.  Note that you MUST have "winbindd" and
        # "nmbd" running on the local machine for ntlm_auth
        # to work.  See the ntlm_auth program documentation
        # for details.
        #
        # If ntlm_auth is configured below, then the mschap
        # module will call ntlm_auth for every MS-CHAP
        # authentication request.  If there is a cleartext
        # or NT hashed password available, you can set
        # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
        # and the mschap module will do the authentication itself,
        # without calling ntlm_auth.
        #
        # Be VERY careful when editing the following line!

Is there any way to have a virtual server(1812/1813) for
mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for
mschapv2-ldap ntPassword hash?

Here is our situation:
We have faculty/staff in active directory.So we are using ntlm_auth
against AD for their network authentication. Faculty/staff will sign
on with username, it will get directed to ntpm_auth against AD.
We have student in ldap with ntPassword but not in AD. So we would
like to have student sign on with username at foo.edu, so we can
manipulate the radius configuration to direct username at foo.edu to use
ldap ntPassword authentication.

Is there anyway using freeradius to accomplish this?

Thanks for any insight!

Schilling



More information about the Freeradius-Users mailing list