Hi,
Just to update I was able to do what I intended to :
Here what I did,
In the authenticate of inner-tunnel and default
I added this:
Auth-Type MS-CHAP {
group {
mschap {
reject = 1
ok = return
}
mschap_tata {
reject = 1
ok = return
}
mschap_toto {
ok = return
}
}
}
And in mschap module I added:
Mschap {
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-%{Realm}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
}
mschap mschap_tata {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{%{mschap:NT-Domain}:-tata} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
mschap mschap_toto {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{%{mschap:NT-Domain}:-toto} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Also added in proxy.conf
Realm tata {
}
Realm toto {
}
With this I was able to do what I wanted,
I am able to permit users from both domain whether they write their user like
tata\username, toto\username or just username
I was also able to to peap authentification by just using the documentation,
Now I’m looking at LDAP to check the group membership of user and only permit
certain group and /or send attribute to those group.
Thank you
Yannick Ménard
----------------------------------------------------------------------------------------------------------
Ce courriel a �t� filtr� par ModusGate et Webshield afin de le
certifier comme l�gitime et exempt de virus.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
