Hello Chris - OK - this is what I had imagined.
What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 <Client 192.168.125.20> Secret xxxxxxxxxxx Identifier Ruckus </Client> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/> <AuthBy RADIUS> StripFromRequest ConvertedFromEAPMSCHAPV2 Host …. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 </AuthBy> </Handler> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/> <AuthBy RADIUS> StripFromRequest ConvertedFromEAPMSCHAPV2 Host ….. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 </AuthBy> </Handler> # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don’t use Synchronous <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/> <AuthBy RADIUS> StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret xxxxxxxxx AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn </AuthBy> </Handler> <Handler TunnelledByPEAP=1> <AuthBy FILE> EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 </AuthBy> </Handler> <Handler Client-Identifier = Ruckus> <AuthBy FILE> CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired UsernameMatchesWithoutRealm AutoMPPEKeys </AuthBy> </Handler> regards Hugh On 24 Jul 2014, at 11:08, Christopher Chance <ccha...@newtechgrp.com> wrote: > 2 domains are on 2 seperate vlans... for authentication i'm filtering it by > the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM > locally, if the second domain forward to secondary radius that has an > interface on domain2 and is part of domain2's domain. > > This is being done so that my wireless in my office can accept both logins > and sort users to the correct vlan based on their credentials, if a user logs > in with Domain1\user then they get sent to Vlan 2 if they get on as > domain2\user they login to vlan3 for instance. > > we have an office with different companies but want to simplify our wireless > (atleast at the user level) so that it is 1 wireless network via wpa2 > enterprise (802.1x eaps)... hence how what i'm trying to do above. > > Originally i was going to have the main radius server just filter by domains > and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt > work with mschapv2 i had to go the ntlm way. > > And yes the linux version is what we're using as we plan to use the radius > for some other things too but windows was giving us some headaches, but thats > a different story for a different day. > > hope i've explained :S > > Chris > ________________________________________ > From: Hugh Irvine [h...@open.com.au] > Sent: Wednesday, July 23, 2014 8:07 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > Hello Chris - > > Could you please explain in detail what exactly you are trying to accomplish? > > It sounds like you are authenticating against Active Directory but you are > running Radiator on Linux? > > Can you tell us how you differentiate between the 2 domains? > > We can make better suggestions if we clearly understand the problem. > > regards > > Hugh > > > On 24 Jul 2014, at 03:30, Christopher Chance <ccha...@newtechgrp.com> wrote: > >> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM >> authentication…. >> >> The issue is we have 2 domains on our network and want to be able to have >> the single 802.1x authentication, sorted by domain authenticate and return >> the correct vlan for the user... I couldn’t figure a way out to do it with >> LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever >> reason… So NTLM I went to, and it works but that meant I had to join the >> linux server to the domain, and only 1 domain per server. >> >> To solve this I followed someone’s recommendation to have a second radius >> server (vm), that’s on the other domain that just checks domains and the >> first server will proxy the request to it… simple enough… >> >> The issue is it doesn’t work, the secondary radius sends the access-accept >> but for some reason the main server doesn’t seem to handle the >> challenge/accept process correctly anymore and the signin process just hangs >> on the wireless… >> >> So now I’m 110% lost and don’t know what else could be the issue… >> >> If you can take a look at this and help me out it would be greatly >> appreciated, as to where I’m going wrong. >> >> Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya >> Login that’s hanging being processed from remote Radius: >> http://pastebin.com/Lj3MCset >> >> Config is http://pastebin.com/UCr2vMdk >> >> Thanks, >> Chris >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER, SIM, etc. > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. > > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator