not logged in | [Login]
Always use radiusd -X
when debugging!
It is assumed that you have followed AD integration document on Alan's site (http://deployingradius.com/documents/configuration/active_directory.html) and got AD accounts working for both PAP and MSCHAP/PEAP requests. It is also assumed that server is configured so that it can sucessfully authenticate accounts stored elsewhere (users file, sql, ldap, ...) also using PAP and MSCHAP/PEAP.
Rename default mschap instance to mschap_default:
mschap mschap_default {
}
Rename mschap instance configured to use ntlm_auth to mschap_ad:
mschap mschap_ad {
ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br>
}
Replace all mschap entries in default and inner-tunnel (and any other if you are using more) virtual servers with mschap_default. Edit Auth-Type MS-CHAP and create failover to AD accounts (authenticate section of default virtual server for MSCHAP requests and inner-tunnel virtual server for PEAP requests):
Auth-Type MS-CHAP {
mschap_default {
reject = 2
}
if (reject) {
mschap_ad
}
}
In case that majority of your accounts are stored in AD, list mschap_ad first and fail over to mschap_default.
AD integration document suggests to force Auth-Type ntlm_auth in users file. Instead of doing that enter this bit of unlang after pap in authorize section of default virtual server::
if (!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth"
}
}
You can add the same to inner-tunnel virtual server to combine AD accounts for EAP-TLS/PAP requests.
Last edited by Arran Cudbard-Bell, 2011-11-13 00:38:42
Sponsored by Network RADIUS