That's not an easy scenario. Perhaps the simplest solution would work for you.
You could implement a generic account on the firewall called say "wifi-user". SSH into the filewall (not using Kerberos or anything) and log in using the shared password for "wifi-user". The login shell could point to a script that would ask for an NTLM friendly username & password, and the firewall could then attempt to read a file from \\someserver\someshare\file.txt using samba. If the contents of that file match a pre-known string "say 'authenticated'" then you know that the supplied username & password are valid on the AD. If so, then proceed with authpf. Now set up read permissions on that file.txt, and give read permission to an AD group called "wifi-users" and add the users to the "wifi-users" group. It's not fancy, and I'm sure that some people on the list would distaste the inellegance of the solution, but it has worked in the past for me with a a squid-proxy setup. On 8/15/06, Steve Shockley <[EMAIL PROTECTED]> wrote:
I'm researching setting up a wireless gateway using OpenBSD and authpf. We've got an existing Active Directory (2003) domain with about 5000 user accounts that I'd like to authenticate against. LDAP seemed like the obvious choice, but it appears I need to create local accounts to use login_ldap, and it'd be unwieldy to sync 5000 users. There's also a patch for nsswitch, but I'd rather not use a custom build if I don't have to. Kerberos also sounded like a good idea, but if I understand correctly, the clients would need a Kerberized ssh client, and they'd have to be able to access the KDC before logging in to the gateway. Is there a better way to do this?
