Active Directory authentication into subtree sctructure
Alan DeKok
aland at deployingradius.com
Fri Jul 7 20:07:49 CEST 2017
On Jul 7, 2017, at 10:44 AM, Alejandro Cabrera Obed <aco1967 at gmail.com> wrote:
>
> Dear, I've implemented a Freeradius service that let authenticate users
> with PEAP/MSCHAPv2/NTLM against an Active Directory tree from a Windows
> Domain Controller server. In this scenario every user is authenticated
> developing a search from the root of the Active Directory tree.
>
> Suppose my domain is "company.com", and now I need to authenticate users
> against some subtrees like these:
>
> sales.company.com
> support.company.com
>
> and not from the AD's root:
>
> company.com
>
> Is this possible to do this with my current implementation?
Yes. Just pass the subdomain to ntlm_auth.
You can test this on the command-line with ntlm_auth, and a test user.
Once that works, test it with radclient doing MS-CHAP against the "inner-tunnel" virtual server. See the comments at the top of "inner-tunnel" for more information.
Once that works, PEAP should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list