ntlm_auth child domain
Menard, Yannick
Yannick.Menard at csp.qc.ca
Wed Nov 7 22:49:37 CET 2012
Hi,
Just to update I was able to do what I intended to :
Here what I did,
In the authenticate of inner-tunnel and default
I added this:
Auth-Type MS-CHAP {
group {
mschap {
reject = 1
ok = return
}
mschap_tata {
reject = 1
ok = return
}
mschap_toto {
ok = return
}
}
}
And in mschap module I added:
Mschap {
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-%{Realm}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
}
mschap mschap_tata {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-tata} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
mschap mschap_toto {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-toto} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Also added in proxy.conf
Realm tata {
}
Realm toto {
}
With this I was able to do what I wanted,
I am able to permit users from both domain whether they write their user like tata\username, toto\username or just username
I was also able to to peap authentification by just using the documentation,
Now I’m looking at LDAP to check the group membership of user and only permit certain group and /or send attribute to those group.
Thank you
Yannick Ménard
----------------------------------------------------------------------------------------------------------
Ce courriel a été filtré par ModusGate et Webshield afin de le
certifier comme légitime et exempt de virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121107/c9f37d91/attachment.html>
More information about the Freeradius-Users
mailing list