Windows AD login authentication over RADIUS?Locked
I have a kind-of-unusual question. We are an online company where we have three cloned AD environments (Staging, Pre-production and Production).
These environments are cloned right down to IP address, as they need to be identical for QA and testing purposes. Access to these different logical environments is done by using routers and firewalls so we retain ability to access without allowing IP conflicts to occur.
Right now, each environment has its own accounts and team members log in using these accounts. That’s pretty clunky because if a new employee comes in, we have to manually configure their login account on the three different environments. There is also no centralised authentication and (for example) if the user changes their password this also has to be updated manually in each environment. Less than ideal.
What we would like to do is implement a system whereby each environment authenticates Windows logins off our corporate domain. That way, if a user enters/leaves/changes password there is only one point of reference. Normally you’d do this via domain trusts, but since each of our environments is cloned they must NEVER be able to talk to each other over NetBIOS/LDAP/Kerberos because they share the same DomainID and things could get messed up fast.
RADIUS comes to mind as the ideal way of doing this. Authentication requests are passed over non-Windows channels.
The problem is, there appears to be no way that Windows will let you log in via RADIUS in this way. The closest you can get is the “Logon Using Dial Up Networking” option… which tries to establish a VPN (no good for the reasons mentioned above).
Does anyone know of a client software or way to configure Windows so we can log into our machines using RADIUS as an authentication mechanism?