So, the question again is if the VPN Concentrator is only sending
username and password, do I need ntml_auth or ms-chap? FreeRADIUS
doesn't have any usernames and password and will query Active Directory
for the actual authentication.
Thanks,
If the packet is merely containing plaintext username and password, then
you can probably just use rlm_ldap against AD and hit it directly. Just
need to setup a user with read access to the directory to do the initial
bind with and search of the user for authorization. Then the user will be
authenticated by doing a bind against AD with the username/password in the
packet.
BTW - I use freeradius w/ ldap for cisco VPN concentrators as well,
although its openldap instead of AD. To pass back the class attribute,
you must modify ldap.attrmap and specify the reply item of Class to match
what you call it in the directory.
eg:
replyItem Class radiusClass
Then in the directory, you have
dn: cn=someuser,...
...
radiusClass: "OU=myvpngroup;"
So, for AD, you'll need to extend the schema and add an attribute for
this. Or if you already have something that you can use, just modify
ldap.attrmap to know what it is.
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html