(RADIATOR) PEAP/MSCHAP-V2 and realms

DELORT Stephane Stephane.DELORT at murex.com
Wed Oct 5 03:08:36 CDT 2005


Hello all,

my company have different agencies in different country. Each agency has its own active directory with its own domain.
So, we've got fr.murex.com for france and us.murex.com for the us.

I would like to authenticate the users in their realms.

In order to do this I did :

**********************************************

...

# Tried with and without 
RewriteUsername s/^(.*)\\(.*)/$2\@$1/ 


# FR corporate users

<Handler TunnelledByPEAP=1, realm=FR-MX-COM>
	AuthByPolicy ContinueWhileAccept
	AuthBy CheckMacAddress
	AuthBy CheckCorporateUsersFR
</Handler>

<AuthBy LSA>
	Identifier CheckCorporateUsersFR
	
	Group wifi
	DomainController frdomaincontroller
	EAPType MSCHAP-V2
</AuthBy>


# US corporate users

<Handler TunnelledByPEAP=1, realm=US-MX-COM >
	AuthByPolicy ContinueWhileAccept
	AuthBy CheckMacAddress
	AuthBy CheckCorporateUsersUS
</Handler>

<AuthBy LSA>
	Identifier CheckCorporateUsersUS
	DomainController usdomaincontroller
	EAPType MSCHAP-V2
	AddToReply TRPZ-VLAN-Name = mx_corpo
</AuthBy>



<Handler Called-Station-Id=/MX_WIFI/ >
	MaxSessions 1	
	<AuthBy FILE>
		EAPAnonymous	%0

		EAPType PEAP
		EAPTLS_CAFile %D/certificates/certifs_murex/mycert.crt

		EAPTLS_CertificateFile %D/certificates/certifs_murex/mycert.crt		
		EAPTLS_CertificateType PEM

		EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/mycert.key
		EAPTLS_PrivateKeyPassword murex

		EAPTLS_MaxFragmentSize 1000		
		AutoMPPEKeys
		SSLeayTrace 4
		EAPTLS_SessionResumptionLimit 120
		EAPTLS_PEAPVersion 0

	</AuthBy>
</Handler>


*************************************************

Stil, this does not work.
Is there a mean to accomplish what I want without having to authenticate the users against the central domain controller ?

If I use the central domain controller (the 'father' of US-MX-COM and FR-MX-COM), what happens when two users have the same login and password ?


Best regards,
Stéphane

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list