Issues authenticating vs 2003 AD

Tim P panterafreak at gmail.com
Thu Aug 18 20:34:26 CEST 2005


Sorry to keep asking but can you post an example (using mschap) to
authenticate from freeradius to AD using the ntlm_auth method?

On 8/18/05, Alan DeKok <aland at ox.org> wrote:
> Tim P <panterafreak at gmail.com> wrote:
> > Ok using these settings it seems to authenticate with radtest
> ...
> > [root at redguard ~]# radtest user userpass localhost:1812 1 radiussecret
> 
>   i.e. clear-text password.
> 
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: looking for reply items in directory...
> 
>   i.e. NO PASSWORD WAS RETURNED BY AD.
> 
> > rlm_ldap: bind as CN=Tim
> > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> > gtds-domcon.gtdsolutions.org:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: user tporritt authenticated succesfully
> 
>   i.e. You're binding to AD as the user.
> 
>   You are using AD as an "authentication oracle".  You hand it bits of
> information, and it returns yes/no.  You are NOT using AD as a database.
> 
> > These two look to me like they authenticated the user successfully.
> 
>   Yes.  Now try MSCHAP.
> 
> > In /etc/ppp/options.l2tpd  I have
> ..
> > Is it possible that this will work?
> 
>   Yes.  But you're not getting the password from AD.
> 
>   As I said: AD will not supply the password.  Nothing in what you've
> posted contradicts that.
> 
> > Just looking for a way (and preferably and example) of the
> > authentication vs AD since I don't seem to understand how to do it.  I
> > have looked in radius.conf and enabled the ntlm authentication but it
> > seems to insist upon using chap and not mschap-v2, is there a
> > difference?
> 
>   The client asks for CHAP, so that's what the RADIUS server sees.
> The RADIUS server DOES NOT, and CAN NOT change the authentication
> method the client uses.
> 
> >   It still complains about the "no cleartext password"
> 
>   Because, as I've said repeatedly, AD doesn't supply the password to
> you.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list