Moe, John wrote: > Yeah, the information in that one is, as you said, simple and "just enough". > However, it doesn't address either of the two questions I asked. > > 1) Is setting "Auth-Type = ntlm_auth" the correct way for doing what I want, > or have I mis-configured something so that FreeRadius could work out that it > needs to use ntlm_auth on its own?
In this case, it won't work out that it needs to use ntlm_auth. This is because ntlm_auth is an "authentication oracle". i.e. *it* is doing the authentication, not FreeRADIUS. This is just like proxying. The home server does the authentication, but the proxy needs to be told when to proxy. Even with that, I'm not sure why you're asking this question. The web page clearly describes when to use "Auth-Type = ntlm_auth", how it works, and what effects it will have. What part of that is not applicable to what you want to do? > 2) How do I match a rule against AD Group membership? This one was answered > in a previous reply, and I think I can work out the implementation details > from there, I just need to do some work and testing. You can configure AD as an LDAP server, and use the LDAP-Group attribute for group membership checking. See doc/rlm_ldap, and LDAP in the Wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
