Issues authenticating vs 2003 AD
panterafreak at gmail.com
Thu Aug 18 20:34:26 CEST 2005
Sorry to keep asking but can you post an example (using mschap) to
authenticate from freeradius to AD using the ntlm_auth method?
On 8/18/05, Alan DeKok <aland at ox.org> wrote:
> Tim P <panterafreak at gmail.com> wrote:
> > Ok using these settings it seems to authenticate with radtest
> > [root at redguard ~]# radtest user userpass localhost:1812 1 radiussecret
> i.e. clear-text password.
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: looking for reply items in directory...
> i.e. NO PASSWORD WAS RETURNED BY AD.
> > rlm_ldap: bind as CN=Tim
> > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> > gtds-domcon.gtdsolutions.org:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: user tporritt authenticated succesfully
> i.e. You're binding to AD as the user.
> You are using AD as an "authentication oracle". You hand it bits of
> information, and it returns yes/no. You are NOT using AD as a database.
> > These two look to me like they authenticated the user successfully.
> Yes. Now try MSCHAP.
> > In /etc/ppp/options.l2tpd I have
> > Is it possible that this will work?
> Yes. But you're not getting the password from AD.
> As I said: AD will not supply the password. Nothing in what you've
> posted contradicts that.
> > Just looking for a way (and preferably and example) of the
> > authentication vs AD since I don't seem to understand how to do it. I
> > have looked in radius.conf and enabled the ntlm authentication but it
> > seems to insist upon using chap and not mschap-v2, is there a
> > difference?
> The client asks for CHAP, so that's what the RADIUS server sees.
> The RADIUS server DOES NOT, and CAN NOT change the authentication
> method the client uses.
> > It still complains about the "no cleartext password"
> Because, as I've said repeatedly, AD doesn't supply the password to
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users