Authenticating CHAP-Password to Pam (Kerberos 5 to AD)

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 27 16:18:59 CET 2006


Patrick Bartkus wrote:
> Please tell me someone has fixed this problem.
> 
> I'm trying to authenticate an Ascend MAX dial-up server back to Windows 
> Active Directory.
> 
> I am using a local unix group for authorization.
> 
> I have Pam set up on my system and it uses Kerberos 5 to authenticate to 
> AD just fine.
> 
> But I'm getting:
> auth: type "PAM"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_pam: Attribute "User-Password" is required for authentication.  
> Cannot use "CHAP-Password".
>   modcall[authenticate]: module "pam" returns invalid for request 0
> 
> I did some checking and found this posting from 2003 basically saying it 
> can't be done:
> http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg19439.html
> 
> I do have other options other than the Windows Domain authentication, 
> but I was not wanting to pursue them unless I had to.
> 
> Has this been solved or am I SOL?

It is not a code bug. It is a fundamental feature of the algorithm. It 
*cannot* be solved. You are, as you put it, SOL.



More information about the Freeradius-Users mailing list