PEAP/MSCHAPv2 / Freeradius / AD
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu Oct 13 22:35:02 CEST 2011
On 13/10/2011 21:16, Kevin Chan wrote:
> Hi all,
>
> hopefully i got to the right group of people.
>
> We are trying to use Freeradius to do PEAP/MSCHAPv2
> authentication against Active Directory (2003). Our realm is
> abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
> to use bob at acme.edu instead bob at abc.acme.edu as username.
Presumably you are in the US? ... It's a shame that US eduroam seems to
forbid subdomains for it's own institutions (lots of organisations doing
eduroam in Europe use subdomain realms).
> My question is can you modify the realm behind the user's back?
> (during EAP process).
I think this may mess things up... but you shouldn't need to *modify* the
realm? [More info about your specifics please]?
The realm on the outer ID will get the auth to your FR (anything at uni.edu).
The realm [if present] on the inner ID is generally stripped before it
goes to ntlm_auth against your AD).
Regards,
James
--
James J J Hooper
Senior Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
More information about the Freeradius-Users
mailing list