FreeRADIUS, 802.1x, and multiple user stores

Alan DeKok aland at
Wed Aug 1 19:19:25 CEST 2012

Jonathan L Ocab wrote:
> My next step is getting 802.1x working such that FreeRADIUS can authenticate users to different Active Directory user stores based on the domain provided.

  That's not really how Active Directory works.  The various domains
should all be accessible from one local AD server.  Then, you
authenticate to that AD server, using the domain.  The AD server figures
out how to authenticate the user.

  This is a fundamental limitation in AD.  As a result, it's a
fundamental limitation in Samba, which is AD compatible.  As a result,
it's a fundamental limitation in FreeRADIUS, which uses Samba for AD

> What would be the best way to implement FreeRADIUS such that authorization/authentication requests are confirmed against different Active Directory domains based on the domain information provided with the username?

  Use the "--domain" parameter to ntlm_auth.

> Should I light up a new FreeRADIUS instance to correspond to each AD domain (or OpenLDAP) and proxy from the primary FreeRADIUS server handling 802.1x requests?

  That shouldn't be necessary.

> Or should I handle it at the site configuration level and load a different 'ldap' module based on the domain provided with the username?


  Alan DeKok.

More information about the Freeradius-Users mailing list