Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet *against* the idea that Microsoft has one API for customers, and another, better API for themselves?
So surely you could proxy CHAP requests to IAS, and authenticate other requests using the superior powers of FreeRADIUS. You'd end up with a post-proxy section that looks a lot like your post-auth section.
I'm probably terribly terribly wrong here, but to my mind you _should_ be able to. After all, MS _have_ supplied a RADIUS interface to the passwords on the server, which seems an improvement over having to write the W32API authentication calls yourself.
In my case I am ONLY using Radius for our VPN and do not really expect this to change. While I would like to use freeradius it does not make much sense to do so. For others your suggestion probably makes more sense.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html