Issues authenticating vs 2003 AD
aland at ox.org
Thu Aug 18 20:25:30 CEST 2005
Tim P <panterafreak at gmail.com> wrote:
> Ok using these settings it seems to authenticate with radtest
> [root at redguard ~]# radtest user userpass localhost:1812 1 radiussecret
i.e. clear-text password.
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
i.e. NO PASSWORD WAS RETURNED BY AD.
> rlm_ldap: bind as CN=Tim
> Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user tporritt authenticated succesfully
i.e. You're binding to AD as the user.
You are using AD as an "authentication oracle". You hand it bits of
information, and it returns yes/no. You are NOT using AD as a database.
> These two look to me like they authenticated the user successfully.
Yes. Now try MSCHAP.
> In /etc/ppp/options.l2tpd I have
> Is it possible that this will work?
Yes. But you're not getting the password from AD.
As I said: AD will not supply the password. Nothing in what you've
posted contradicts that.
> Just looking for a way (and preferably and example) of the
> authentication vs AD since I don't seem to understand how to do it. I
> have looked in radius.conf and enabled the ntlm authentication but it
> seems to insist upon using chap and not mschap-v2, is there a
The client asks for CHAP, so that's what the RADIUS server sees.
The RADIUS server DOES NOT, and CAN NOT change the authentication
method the client uses.
> It still complains about the "no cleartext password"
Because, as I've said repeatedly, AD doesn't supply the password to
More information about the Freeradius-Users