Hi All, The group helped me configure the freeradius server to do mschapv2 against ldap w/ ntPassword if user sign on with usern...@foo.edu, and to do mschapv2 against AD w/ ntlm if user just sign on with username. Now I want to go one more step further - passing on some attributes back to NAS. Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'} = "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus != facstaff REPLY{'Service-Type'} = "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "student"; } }else { # ntlm authentication REPLY{'Service-Type'} = "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; }
What's the easiest way to accomplish this? unlang? perl module? Where to start? Thanks, Schilling from schilling <schilling2...@gmail.com> to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> date Tue, Dec 14, 2010 at 3:14 PM subject Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible? mailed-by gmail.com Got the whole setup working. So basically if users sign on with usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword authorization. If users sign on with username only with eap, they will be sent to active directory w/ ntlm authentication. configuration changes are the following: etc/raddb/proxy.conf add realm foo.edu { } realm NULL { } /etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add switch "%{Realm}" { case foo.edu { ldap #see /etc/raddb/module/mschap if ntpassword available, then do not use #NTLM_auth update control { MS-CHAP-Use-NTLM-Auth := NO } case NULL { mschap } } etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate with Active Directory howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html