authenticating a guest domain/ntlm_auth in a different AD

Rui Ribeiro ruyrybeyro at gmail.com
Thu Jan 29 22:26:37 CET 2015


Thanks Mathew, my missing piece was exactly I was no getting I could call
the module/mschap as domain2 in unlang. Stupid, because I am doing things
like that with linelog.

Thanks a  million.

Regards,
Rui

>
> Message: 6
> Date: Thu, 29 Jan 2015 17:34:53 +0000
> From: Matthew Newton <mcn4 at leicester.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: authenticating a guest domain/ntlm_auth in a different AD
> Message-ID: <20150129173453.GB24929 at rootmail.cc.le.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Jan 29, 2015 at 03:54:52PM +0000, Rui Ribeiro wrote:
> > I would like to authenticate a guest domain in a different AD in FR3. I
> ...
> > The ideia of having to mschap configurations is for calling ntlm_auth
> with
> > a different Windows DOMAIN.
>
> OK.
>
> > most specifically, this not works. Is it wiser to build a new FR to the
> > guest domain.
>
> You can do it all in one copy of FreeRADIUS. No need to run it
> twice. There are many ways to do this. You will need to make sure
> that the AD domains trust each other as your RADIUS server will
> (normally) only be joined to one domain, so will send all auth
> requests to that one.
>
> You could add something like
>
>   --domain=%{Realm}
>
> to your existing ntlm_auth command line, but you probably want to
> do some sanity checks on the realm first in unlang.
>
>
> Another method similar to how we've done here in the past would be
> to define two instances of the mschap module. So in
> mods-available/mschap, copy the
>
> mschap {
> ...
> }
>
> section, and call it e.g.
>
> mschap domain2 {
> ...
> }
>
> Update the domain2 ntlm_auth one with your new domain.
>
>
> Then you need to use work out which one to use - either code this
> with if() in unlang, or use the call 'suffix' in authorize{}
> (which is enabled by default).
>
> Then you should be able to update your authenticate{} section from
>
> Auth-Type MS-CHAP {
>   mschap
> }
>
> to something like
>
> Auth-Type MS-CHAP {
>   if (Realm =~ /@my.second.realm$/) {
>     domain2
>   }
>   else {
>     mschap
>   }
> }
>
> If you can't get it working, post the full FreeRADIUS debug output
> (radiusd -X) to the list, otherwise nobody can tell what's going
> wrong.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>
>
>
>


More information about the Freeradius-Users mailing list