Post Auth and Logging Multiple MSCHAP modules
Matthew Newton
matthew at newtoncomputing.co.uk
Mon Jun 5 17:11:56 CEST 2017
On Mon, Jun 05, 2017 at 10:45:55AM -0400, Alan DeKok wrote:
> You *should* be deciding what domain to use up front, and
> then selecting the appropriate MS-CHAP module based on that.
> That way, the "mschap-a" module doesn't get overloaded with
> requests which really should be for "mschap-b"
About the only time I've found this useful is in the transition
stage between two AD domains when the list of users in each
domain is changing rapidly as they move over. But this is just a
temporary configuration.
In that situation, however, nobody cares about *where* the auth
is actually going. And at the end of the move the old mschap
config is just removed.
Other than that, different realms or an LDAP lookup can easily
find the right domain to authenticate against first.
--
Matthew
More information about the Freeradius-Users
mailing list