authenticate machine accounts with ntlm_auth
Kris Benson
kbenson at sd57.bc.ca
Mon Aug 1 02:29:04 CEST 2005
>> I'm very frustrated now after spending a couple of weeks trying to get
>> free radius to authenticate my Win2k machine accounts against active
>> directory. :-(
>
> Sorry, blame Microsoft. It isn't possible, but they don't make it
>obvious that it's not possible.
>
>> Alan, do you know of any way to get this working. I have been assured
>> that Funk can do this, have you any idea how Funk are doing it. Funk
>> costs too much. Maybe I'm not allowed to ask such questions.
>
> Funk does it by running the radius server on the AD server. At that
>point, they can use *internal* Windows API's or hacks to get at the
>data. Since FreeRADIUS is running externally, it can't use those
>API's, and thus won't work.
>
> FreeRADIUS *will* run on XP. If someone were to write the necessary
>code, you could run the server on XP, and do what Funk does.
It sounds to me like you're saying this is a server-side issue. Since AD
is available via LDAP, why couldn't this FreeRadius install just use
rlm_ldap to access the machine account info in AD?
The Microsoft side of things isn't my greatest strength, least of all the
AD/LDAP stuff, but it seems as though this *should* work.
:-)
-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)
More information about the Freeradius-Users
mailing list