MAC authentication Auth Key Mgmt
Matthew Newton
mcn4 at leicester.ac.uk
Thu Oct 17 11:58:10 CEST 2013
On Wed, Oct 16, 2013 at 05:36:14PM -0700, Matthew Ceroni wrote:
> Thanks. I figured that would be the answer. I will come up with a solution
> based on your recommendations.
If you have access to both domains then you should be able to auth
against one, and if that fails, try the other.
It works best if there is a trust relationship between the
domains, so your RADIUS server only has to be joined to one
domain. Otherwise you should be able to run two instances of
samba, each joined to the different domain, and then try each auth
against both.
If you're using EAP-TTLS then you have access to the plaintext
password, so can auth againt the parent domain's LDAP if you're
not actually joined. Nasty, but it will work.
If this is too complicated, and they don't have their own RADIUS
server, then you should be able to set up a second server that is
joined to their domain, and then proxy to that keyed off the
realm, or the form of the username, or the MAC address, etc. (I'd
try and find something that lets you identify the distinct groups
of users, to save having to manually maintain a list of MAC
addresses - even if it's "add @parentdomain to your username" or
similar.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list