Cisco ASA with fall through auth for LDAP and Active Directory
Harry Hoffman
hhoffman at ip-solutions.net
Mon Feb 1 15:29:31 CET 2010
Hi all,
I'm trying to setup freeradius-2.x to provide authentication for a Cisco
ASA VPN.
When the packet comes in I'd like to first check the LDAP database to
see if the user/pass combination work and if it not then check against
Active Directory (using ntlm_auth).
Both LDAP and AD (via ntlm_auth) work separately. I've used the
following URL to setup the AD connectivity (via /etc/modules/ntlm_auth
for PAP and /etc/modules/mschap for MSCHAP):
http://deployingradius.com/documents/configuration/active_directory.html
Everything works as expected here. The username and password come across
in clear text, from the VPN, and are handed to ntlm_auth which is then
able to authenticate the user.
I'm stuck at trying to get freeradius to first check LDAP and then check
AD if the LDAP server says that the username and password combo are not
good.
I've searched both the mailing list and google but am confused by some
of the answers given, specifically this message seems to be talking
about a similar situation:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59368.html
Any help would be greatly appreciated.
Cheers,
Harry
More information about the Freeradius-Users
mailing list