wireless+freeradius+AD

Robin Mordasiewicz rmordasiewicz at samuelmanutech.com
Mon Nov 21 19:14:07 CET 2005 

On Mon, 21 Nov 2005, King, Michael wrote:

> > Oh, excellent. I just joined this list hoping to query the
> > members on finding more information on doing
> > wireless+activedirectory+freeradius,
> > unfortunately I could not find any good postings, or web
> > toots/examples.
>
> Hi Robin, Welcome to the club.
>
>
> > I would need to use Microsoft IAS. Is this false ?
> Yes,  That particular example used Microsoft IAS, but it is not
> required.
>
>
> > Are people
> > using Active Directory successfully ?
> Yes.  Besides myself, there are many people on this list that are.
>
> > I have a linux box that
> > is currently acting as a tacacs server while authenticating
> > using winbind etc, and was hoping to make it a radius server as well.
>
> You are already 3/4 of the way there, since the trickest part of my
> freeradius setup was getting winbind to talk to activedirectory
>
> Depending on your Linux distribution, you will just have to install
> freeradius.  (Some distributions like Debian require a -disable-shared)
>
> Go thru the radiusd.conf and the eap.conf files, it's clearly commented
> on what you need to configure.
>
> You'll see a section marked:
> ntlm_auth = "/path/to/ntlm_auth ........(Trimmed)
>
> You might need to modify this to:
> ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> Don't hesitate to ask questions.  There is a good Howto (unfortuantly, I
> don't have my bookmarks with me) but some others on the list hopefully
> will post it.
>

Yes winbind kerberos stuff works well, and I got it previously working to
enable TAC_PLUS to do active directory authentication.

If anyone knows the site with a good howto I would greatly apprecieate it.

Otherwise I am chugging along.

I have gotten the windows program  NTRadPing to authenticate non CHAP with
a local UNIX account. I am not sure what fields I must enter to get
MS-CHAP to test, or if there is even a difference between CHAP and
MS-CHAP?

Anyways I fuddled around with a bunch of different combinations and always
get this in the logfile

Auth: Login incorrect (rlm_chap: Clear text password not available):

More information about the Freeradius-Users mailing list