Matthew P wrote: > I'm new to FreeRadius, so please bear with me. :) Good questions are a very good start.
> Goal: Make FreeRadius look-up a user in ActiveDirectory if he has > "mydomain.com" domain. > Used method: EAP/TTLS (PAP in the tunnel) > > This is how I've done it, but it doesn't give the wanted results, so please > explain a bit. :) > (it doesn't seem to load the local_ad virtual server configuration, which is > I placed in the sites-enabled directory, it seems to just carry on executing > the default server) If you read the start of the debug output, it *should* show it loading the "local_ad" virtual server. The output below shows it not *proxying* the request to the "local_ad" virtual server. > realm mydomain.com { > auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. ... > rlm_realm: Preparing to proxy authentication request to realm > "mydomain.com" > ++[suffix] returns updated > rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing > EAP. > ++[eap] returns noop > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop > There was no response configured: rejecting request 0 i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The "inner-tunnel" virtual server is set up *precisely* for this kind of authentication. You do EAP in the "default" server. Then, the "inner-tunnel" server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment "ldap" everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html