I'm sorta struggling with the same thing, a la a single "NAS" (Cisco switch) requiring multiple auth types: 1,) VTY / enable access from NetEng group (in AD), 2.) 8021.x auth for everyone! Similar with VPN appliance, VTY's AND IPSec auths. The request type will differ for each type of requests, so it's "simply" a matter of uniquely identifying each type of request and performing the conditional processing. Easy right? :)
I shared some emails with Ivan on this issue and got close, but then got involved in other things so never got fully resolved. Seems there are several ways to do it, but I THINK the common thread is to use unlang and / or hints to set the auth_type as required and/or direct the requests to a virtual server that does what you need. If / when I get this worked out I intend to publish a "How To", but if you beat me to it please share! I've spent MANY MANY hours on it thus far and now I've forgotten much of it! Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org [mailto:[email protected] g] On Behalf Of [email protected] Sent: Monday, November 23, 2009 12:35 PM To: FreeRadius users mailing list; [email protected] Subject: Re: ntlm_auth and AD authentication At 10:24 AM 11/23/2009, [email protected] wrote: >to confirm, and it looks like it's working. Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys). I've found instructions for restricting ntlm_auth to a particular security group, but adding --require-membership-of={SID|Name} to the ntlm_auth command. But I can't puzzle out how I'd then have one set of authentication for one security group, and one set of authentication for a second security group. (currently any AD users works). Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section? Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
