PEAP/MSCHAPv2 / Freeradius / AD
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu Oct 13 23:43:33 CEST 2011
On 13/10/2011 21:35, James J J Hooper wrote:
> On 13/10/2011 21:16, Kevin Chan wrote:
>> Hi all,
>>
>> hopefully i got to the right group of people.
>>
>> We are trying to use Freeradius to do PEAP/MSCHAPv2
>> authentication against Active Directory (2003). Our realm is
>> abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
>> to use bob at acme.edu instead bob at abc.acme.edu as username.
>
> Presumably you are in the US? ... It's a shame that US eduroam seems to
> forbid subdomains for it's own institutions (lots of organisations doing
> eduroam in Europe use subdomain realms).
I re-read http://www.eduroamus.org/node/29 ...
It says that *you* shouldn't forward subdomains of your own realm to the
national proxies, which would be filtered. This indeed makes sense for
loop protection.
...and it implies "only usernames of the form user at institution.edu" should
be accepted, but it doesn't actually state that you can't use subdomains.
I suppose it depends on how the "routing" on the US level eduroam proxies
is set-up:
if (Realm =~ /^(.+\.)?\.uni\.edu$/) { }
or
if (Realm =~ /^uni\.edu$/) { }
-James
--
James J J Hooper
Senior Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
More information about the Freeradius-Users
mailing list