> I have used > > ntlm_auth --request-nt-key --username=user --password=xxx > --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS > > ntlm_auth --request-nt-key --username=otheruser --password=xxx > --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS > > and I get the right answers, so looks like the settings in my krb5.conf > are > working, but I just can't see how to get freeradius to make the request > this > way. > > (Yes, I know the correct request will use --challenge= and --nt-response= > but > I'm "assuming" if I can get the rest of the request right, it'll "just > work")
Create two mschap module instances, mschap_co1 with first ntlm_auth line and mschap_co2 with second one. Then create redundancy inside Auth-Type MS-CHAP (default server for mschap requests, inner-tunnel for peap): Auth-Type MS-CHAP { if(Realm == "company1.local") { mschap_co1 } elsif(Realm == "company2.local") { mschap_co2 } else { mschap (or reject if you don't want to try users file, sql, ldap or other accounts) } } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html