AD Auth Question

Martin, Jeremy jmartin at emcc.edu
Sat Dec 30 17:19:09 CET 2017 

Hello

I have a question about AD authentication that I can't seem to find an answer to in the documentation.  The question simply boils down to this: who do I specify a configuration when dealing with domain.com and subdomain.domain.com?

We currently use 802.1x on all network ports and have three login scenarios:

1.       802.1x using PEAP-MSCHAPv2 (domain computers)

2.       802.1x using MD5 (yes I know this is older but that is what the devices support)

3.       MAC address authentication (printers, cameras, etc)

Right now NPS is the first RADIUS server inline and handles all the PEAP requests for machine authentication if the traffic does not conform a specific pattern -  if it does conform the traffic is forwarded to freeradius for scenarios 2 & 3.  The end goal is to get down to a single server instead of a relayed configuration.  What is required is the ability to support both domain.com and subdomain.domain.com or domain A and domain B and computers could be a member from either domain.  I also need to find a way to not have these users defined in freeradius as most of the guides seem to point to but instead validate the return results based on the group membership (Domain Computers) from either group, each domain gets a unique vlan assignment from NPS based on this relationship.

I pulled this from FreeRADIUS guides:

exec ntlm_auth {
                wait = yes
                program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
        }

Which leads to the questions about multi domain configurations which I can't find mentioned anywhere in the wiki's, faqs or internet in general which leads me to think that this is one of three cases:

1.       This configuration is uncommon

2.       This configuration is not possible

3.       I am just being dense in the head (I prefer to believe this is not the scenario).

Using the NTLM_AUTH test tool I am able to specify the domain and get a successful auth as there is a trust between these parent and child domains but because everything is based on the samaccountname the domain has to be specified with the tool.  I also understand that calling the ntlm_auth program may not be the best way to go and that a library exists but I believe the base question(s) are still relevant in both cases.  Any guidance would greatly be appreciated even if it is stick what you got.

Thanks
Jeremy

More information about the Freeradius-Users mailing list