PEAP and multiple domains

alan buxey A.L.M.Buxey at
Mon Jul 16 17:28:55 CEST 2012


> redundant {
> 	mschap.domain1
> 	mschap.domain2
> }

thats just if the first one answers...then thats that.

you need fail-through eg something like

	Auth-Type MS-CHAP {
                group {
                        mschap.domain1 {
                        reject = 1
                        ok = return
                        mschap.domain1 {
                        ok = return

ie try mschap.domain1 and if it fails, then dont care about the result and try doamin2
instead. obviously, once you have more in one than the other, then you want to switch them over.

we used this sort of construct when moving to a new AD domain.


More information about the Freeradius-Users mailing list