Hi Alan, Thanks for the hint.
Just to be sure. Both user(username and usern...@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/? Regards, Schilling On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok <al...@deployingradius.com> wrote: > schilling wrote: >> We got ntlm_auth against AD working for PEAP, we also got separate >> server for PEAP against ldap ntPassword hash. >> >> ... >> Is there any way to have a virtual server(1812/1813) for >> mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for >> mschapv2-ldap ntPassword hash? > > Yes. But I don't think that's necessary. > >> Here is our situation: >> We have faculty/staff in active directory.So we are using ntlm_auth >> against AD for their network authentication. Faculty/staff will sign >> on with username, it will get directed to ntpm_auth against AD. >> We have student in ldap with ntPassword but not in AD. So we would >> like to have student sign on with usern...@foo.edu, so we can >> manipulate the radius configuration to direct usern...@foo.edu to use >> ldap ntPassword authentication. >> >> Is there anyway using freeradius to accomplish this? > > Yes. And you don't need two virtual servers. > > 1) edit the "authorize" section to do... > 2) if people log in with "u...@foo.edu", run "ldap" > 3) else force "ntlm_auth" > > You might have to declare a "foo.edu" realm, but that shouldn't be an > issue. The config should really be about 10 lines changed from the default. > > Develop this by: > > 1) adding realm "foo.edu" > 2) enabling ldap > 3) checking authentication > > 4) adding "if not realm foo.edu" > 5) do ntlm_auth, as per the docs, wiki, etc. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html