mschap auth for multiple realms off different domain ctlrs?

Mon, 27 Jul 2009 22:07:57 -0700
I've inherited a system which now needs changed and I can't seem to make it do it! I'm sure it can, but I'm just not familiar enough with FreeRadius to know how to coax it into doing what I need. 

Its a fairly old system, FreeRADIUS Version 1.1.3


Remote users connect to the host using windows VPN client, hence MS-CHAPv2, 
call terminates on mpd running on freebsd which auths from using freeradius on 
the same host. That all works.



Problem is, the client has been like the borg and assimilated another company 
and needs to support their roaming users too.



so now users log in as     user    and the request is done via ntlm request to 
their primary domain controller 10.1.1.1 in realm company1.local

This is configured in krb5.conf as far as I can determine.


FreeRadius also looks for a specific group membership with 
"--require-membership-of=company1-vpn-users"



I now need to support (additionally) another set of users logging in as
    otheruser  who will need to specify their realm as company2


I can get freeradius to "see"  otheru...@company2.local   and it splits the 
username and realm out (as seen with radiusd -X) but what I can't figure out is 
how to tell it to still use the "local" auth but to know that it now has to use 
"company2.local" for its realm, to ask 10.1.1.3 instead of 10.1.1.1, and to 
look for group membership of "company2-vpn-users".



I thought I could perhaps use a variable and set that within a specific realm{} 
definition during auth, but I can't see how to define/use variables other than 
attributes offered or returned.


I have used

ntlm_auth --request-nt-key --username=user --password=xxx
    --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS

ntlm_auth --request-nt-key --username=otheruser --password=xxx
    --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS


and I get the right answers, so looks like the settings in my krb5.conf are 
working, but I just can't see how to get freeradius to make the request this 
way.



(Yes, I know the correct request will use --challenge= and --nt-response= but 
I'm "assuming" if I can get the rest of the request right, it'll "just work")



Any help please? I've googled and tried more things than I can document here 
without driving you nuts!


RossW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to