Freeradius in an AD environment on opensuse server

Ivan Kalik tnt at kalik.net
Thu Aug 14 16:15:57 CEST 2008


You can't get cleartext password from AD, but you can extract encrypted
(nt hashed) password as NT-Password with ldap. You will be able to
authenticate pap and mschap requests with that.

Ivan Kalik


Dana 14/8/2008, "Murray, Elizabeth [DNR]"
<Elizabeth.Murray at dnr.iowa.gov> piše:

>Thanks.   Glad I didn't get this last night or I wouldn't have slept!!!
>
>
>I will have multiple access points spread across a large geographic area that will authenticate to a series of Radius servers located in the internal network.  Any other suggestions would be appreciated.  I've got most of this in my head so I need to do some writing.  I'm here for 2 days then vacation.  I almost don't want to go because this has been such a frustrating task for me.
>
>Thanks again.  Any more ideas would be appreciated.
>
>Liz M
>
>-----Original Message-----
>From: freeradius-users-bounces+elizabeth.murray=dnr.iowa.gov at lists.freeradius.org [mailto:freeradius-users-bounces+elizabeth.murray=dnr.iowa.gov at lists.freeradius.org] On Behalf Of Maurizio Cimaschi
>Sent: Wednesday, August 13, 2008 5:44 PM
>To: FreeRadius users mailing list
>Subject: Re: Freeradius in an AD environment on opensuse server
>
>Hi Liz,
>
>Murray, Elizabeth [DNR] wrote:
>> We’ve moved from a Novell eDirectory solution to . . . . Active Directory.
>
>I'm not an AD expert, but they say (
>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_jhzx.mspx?mfr=true
>) that AD is accessible using the LDAPv3 protocol; so it should be
>possible to use it like any other LDAP server.
>
>> Can I set up freeradius to authenticate with ldaps and be secure?
>
>What do you mean with "to be secure" ?
>Do you mean the connection between the radius server and the AD ?
>Are you familiar with the SCHEMAs used in AD (I'm not, by the way) ?
>Have you already planned the access rules that you will need on the AD
>to complete the authentication/authorization procedure ?
>(These are questions intented for yourself, in the first place).
>
>> The
>> ldap would be Microsoft and is on my domain controller.   I have
>> websites using the ldap process but OR do I have to do that samba thing?
>
>First of all, I think that you should take a moment to put down the
>architecture that you're working with (just to have a complete picture),
>your goals and the expertise that is available to you and/or your
>collegues/organization. Then, you can start planning your setup.
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list