wireless+freeradius+AD

Tue Nov 22 08:11:13 CET 2005

Yes I too would like some help with this.

This what I am trying to do:
1. authenticate via chap (from chillispot) to freeradius, using unix shadow
passwords or pam.. 

I followed the pam directions and it works fine for pap, but not chap..

2. also, would like to get it to work via AD (kerberos etc.) A doc on this would
be very helpful...

Dave

> On Mon, 21 Nov 2005, King, Michael wrote:
> 
> > > Oh, excellent. I just joined this list hoping to query the
> > > members on finding more information on doing
> > > wireless+activedirectory+freeradius,
> > > unfortunately I could not find any good postings, or web
> > > toots/examples.
> >
> > Hi Robin, Welcome to the club.
> >
> >
> > > I would need to use Microsoft IAS. Is this false ?
> > Yes,  That particular example used Microsoft IAS, but it is not
> > required.
> >
> >
> > > Are people
> > > using Active Directory successfully ?
> > Yes.  Besides myself, there are many people on this list that are.
> >
> > > I have a linux box that
> > > is currently acting as a tacacs server while authenticating
> > > using winbind etc, and was hoping to make it a radius server as well.
> >
> > You are already 3/4 of the way there, since the trickest part of my
> > freeradius setup was getting winbind to talk to activedirectory
> >
> > Depending on your Linux distribution, you will just have to install
> > freeradius.  (Some distributions like Debian require a -disable-shared)
> >
> > Go thru the radiusd.conf and the eap.conf files, it's clearly commented
> > on what you need to configure.
> >
> > You'll see a section marked:
> > ntlm_auth = "/path/to/ntlm_auth ........(Trimmed)
> >
> > You might need to modify this to:
> > ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}"
> >
> > Don't hesitate to ask questions.  There is a good Howto (unfortuantly, I
> > don't have my bookmarks with me) but some others on the list hopefully
> > will post it.
> >
> 
> Yes winbind kerberos stuff works well, and I got it previously working to
> enable TAC_PLUS to do active directory authentication.
> 
> If anyone knows the site with a good howto I would greatly apprecieate it.
> 
> Otherwise I am chugging along.
> 
> I have gotten the windows program  NTRadPing to authenticate non CHAP with
> a local UNIX account. I am not sure what fields I must enter to get
> MS-CHAP to test, or if there is even a difference between CHAP and
> MS-CHAP?
> 
> Anyways I fuddled around with a bunch of different combinations and always
> get this in the logfile
> 
> Auth: Login incorrect (rlm_chap: Clear text password not available):
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 