FreeRadius + AD + Realms
Matthew P
mayday64 at hotmail.com
Sat Jul 3 01:58:08 CEST 2010
>> realm mydomain.com {
>> auth_pool = active_directory
>
> You'll need a line:
>
> nostrip
>
> To avoid EAP identity issues.
This worked, thanks. Preprocess doesn't strip the username in the default server and EAP works.
Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess.
So the username stays in the form - "user at mydomain.com", but that isn't usable for a LDAP search (on the AD).
(btw. if I test without the realm portion of the scenario, like AD is the only source of authentication, it works)
> i.e. it doesn't proxy it.
>
> This *does* work in 2.1.9. So which version are you running?
I'm sorry, it was my mistake. I configured proxy_requests = no, because I thought it was ment for a server when it was only proxying requests from other sources (since this option opens a special proxy-ing listening port).
Fixed now, proxying to virtual server works.
> And why are you creating this complicated configuration? The
> "inner-tunnel" virtual server is set up *precisely* for this kind of
> authentication. You do EAP in the "default" server. Then, the
> "inner-tunnel" server gets the PAP password, and you can configure it to
> look the user up in AD there.
Because there are realms involved in the scenario.
If the realm is "mydomain.com" then radius needs to lookup a user in AD.
If the realm is "mydomain2.com" then it needs to consult sql.
Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go?
TIA!
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
More information about the Freeradius-Users
mailing list