How do I set up simple AD integration?
Josh Howlett
josh.howlett at bristol.ac.uk
Tue Apr 11 17:23:56 CEST 2006
Steve,
>> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
>> --nt-response=%{mschap:NT-Response}"
>
> This stanza is a enclosed with the mschap section, still nothing ventured....
> I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output:
<snip>
> rad_check_password: Found Auth-Type CHAP
> auth: type "CHAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group CHAP for request 0
> rlm_chap: login attempt by "burst01" with CHAP password
> rlm_chap: Could not find clear text password for user burst01
> modcall[authenticate]: module "chap" returns invalid for request 0
> modcall: leaving group CHAP (returns invalid) for request 0
You can't do this.
If you want to do ntlm_auth, you need to use an authentication protocol
that provides FreeRADIUS with either the user's (1) cleartext
credentials or (2) the user's NT credentials.
CHAP won't work - it's impossible. However PAP will work, as will
MS-CHAP. CHAP is different from MS-CHAP.
best regards, josh.
More information about the Freeradius-Users
mailing list