Hello
I use redundant-load-balance for ldap user auth to authenticate users to a
pool of active directory servers for one service. That seems to work well.
I'm trying to think why I don't do that for ntlmauth (used inside mschap
inner-tunnel) for another other service.
I've knocked that up to test it with mschap modules like (with N being
1,2,3,4,5)
mschap mschapadN {
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
--configfile=/etc/samba/smb-adN.conf"
}
where /etc/samba/smb-adN.conf is the same as the others except for
"password server = adN.domain"
and then in the inner-tunnel site I have
authenticate {
Auth-Type MS-CHAP {
redundant-load-balance {
mschapad1
mschapad2
..
mschapadN
}
}
}
Is this along the lines that others follow? if not how does ntlmauth
handle the AD server being down. Does ntlmauth/winbind handle AD being
down so freeradius does not have to?
Thanks,
Neil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
