Hi, > What we are wondering is if its possible to still have requests come > through to our freeradius box, and instead of providing the certificate > and proxying the contents of the inner tunnel to the AD box.. if its > possible to simply proxy the entire request, PEAP/MSCHAP and all > directly to their AD servers? They are hesitant to allow our freeradius > box to join the domain, and if its doable, a workaround would be the > preferred route.
yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc) and then you simply proxy the whole shaboodle off to them to deal with - then you dont need to play around with ntlm_auth etc etc. of course, they'll have to put required certs onto their auth system but thats a minor issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
