"Heiden, John" <[EMAIL PROTECTED]> wrote: > So kind of imagine a tree of sorts. The leaves/branches are > the Cisco ASXXXX servers, they go back and authenticate to a > Linux server with Free Radius. The Linux/FreeRADIUS server > then ultimately authenticates the users back to an AD server. > But the different pools need different policies, etc. for > connect time, and so forth.
That's nice. How do you tell which pool a user is in? > Does this make it clearer? I apologize if I was too confusing > before. Or is there a way to get away from multiple realms > given my situation? Oh, and I need to have separate accounting > logs for each pool also. Meaning, I can't have everything > accounted into the same file. Each pool would need to have > separate accounting logs. FreeRADIUS can do that, once you figure out how to separate the users into pools. > Would it make sense to authenticate to the AD via RADIUS as > well? Or just use LDAP? Active Directory doesn't do RADIUS. > I'm curious, why won't chap work? I really don't care if > MS-CHAP breaks, we have never supported it here in the past. > But it strikes me as odd that it would break CHAP. Blame Active Directory. It won't let FreeRADIUS have access to the plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
