The idea is that the only place where pool membership would be defined is in the AD. The problem is that each pool needs to be independent, and sometimes users move between pools. And the only place (that they want to keep track of ) membership is in the AD.
That kind of sucks about CHAP. OH well, not my problem then. I am pretty sure that AD does RADIUS. Or am I thinking of the OS under AD? (2000?) John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Wednesday, November 19, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: Re: Multiple realm authentication with FreeRADIUS back to Active Directory? "Heiden, John" <[EMAIL PROTECTED]> wrote: > So kind of imagine a tree of sorts. The leaves/branches are > the Cisco ASXXXX servers, they go back and authenticate to a > Linux server with Free Radius. The Linux/FreeRADIUS server > then ultimately authenticates the users back to an AD server. > But the different pools need different policies, etc. for > connect time, and so forth. That's nice. How do you tell which pool a user is in? > Does this make it clearer? I apologize if I was too confusing > before. Or is there a way to get away from multiple realms > given my situation? Oh, and I need to have separate accounting > logs for each pool also. Meaning, I can't have everything > accounted into the same file. Each pool would need to have > separate accounting logs. FreeRADIUS can do that, once you figure out how to separate the users into pools. > Would it make sense to authenticate to the AD via RADIUS as > well? Or just use LDAP? Active Directory doesn't do RADIUS. > I'm curious, why won't chap work? I really don't care if > MS-CHAP breaks, we have never supported it here in the past. > But it strikes me as odd that it would break CHAP. Blame Active Directory. It won't let FreeRADIUS have access to the plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
