Cisco ASA with fall through auth for LDAP and Active Directory

Harry Hoffman hhoffman at ip-solutions.net
Mon Feb 1 15:29:31 CET 2010


Hi all,

I'm trying to setup freeradius-2.x to provide authentication for a Cisco 
ASA VPN.

When the packet comes in I'd like to first check the LDAP database to 
see if the user/pass combination work and if it not then check against 
Active Directory (using ntlm_auth).

Both LDAP and AD (via ntlm_auth) work separately. I've used the 
following URL to setup the AD connectivity (via /etc/modules/ntlm_auth 
for PAP and /etc/modules/mschap for MSCHAP):
http://deployingradius.com/documents/configuration/active_directory.html

Everything works as expected here. The username and password come across 
in clear text, from the VPN, and are handed to ntlm_auth which is then 
able to authenticate the user.

I'm stuck at trying to get freeradius to first check LDAP and then check 
AD if the LDAP server says that the username and password combo are not 
good.

I've searched both the mailing list and google but am confused by some 
of the answers given, specifically this message seems to be talking 
about a similar situation:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59368.html

Any help would be greatly appreciated.

Cheers,
Harry



More information about the Freeradius-Users mailing list