PEAP/MSCHAPv2 / Freeradius / AD
A.L.M.Buxey at lboro.ac.uk
Thu Oct 13 23:58:01 CEST 2011
> We are trying to use Freeradius to do PEAP/MSCHAPv2
> authentication against Active Directory (2003). Our realm is
> abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
> to use bob at acme.edu instead bob at abc.acme.edu as username.
you shouldnt send your own sub domains up to the national level - hopefully
they have picked up on issues that older eduroam federations have had in the
past....it can be the cause of loops... hopefully the national level has
loop detection mechanisms for if an end site does something silly.
it would be shame if they are stopping you from using sub-realms...its
quite common elsewhere...
but anyway, you shouldnt need to worry, the outerid is just like the address
on an envelope....to get the RADIUS request back to YOUR RADIUS servers.
once it gets there, the EAP tunnel is created and the innerID is exposed..and
that can be whatever you want - with realm or without realm. you can also
adjust the ntlm_auth command to send whatever realm you want locally to the AD
of course, could have issues with older clients where you cannot adjust outerID
> My question is can you modify the realm behind the user's back?
> (during EAP process).
the username does not need to be used as-is..generally you could (and many do!)
use the Stripped-User-Name in the ntlm_auth stage
More information about the Freeradius-Users