Freeradius and Active directory (An aside)

Nicolas Goutte nicolas.goutte at extragroup.de
Tue May 20 16:39:38 CEST 2008 

Am 20.05.2008 um 16:20 schrieb Arran Cudbard-Bell:

> Dean, Barry wrote:
>> Alan DeKok said:
>>
>>
>>>  It is impossible to use CHAP to authenticate to AD.  You MUST use
>>> MS-CHAP, or PAP.
>>>
>>
>> When testing my Radius server with AD and XSupplicant I found that  
>> EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with  
>> CHAP inner auth all failed.
>>
>> So you have explained why EAP-TTLS (CHAP) fails, thanks!
>>
>> So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my  
>> Radius config broken?
>>
> EAP-MD5 won't work either...
>
> Ok the basic requirement for most Authentication schemes  
> transferring the users credentials as a none reversible hash, is  
> that the password is available RADIUS side as either a clear-text  
> string, or as a reversible hash which can be transformed back into  
> a clear-text string.
>


> I say most because there is of course a few exceptions, the most  
> notable being MSCHAP & MSCHAPv2 which allow you to store the  
> password directory side as an MD4 hash of the passphrase encoded as  
> a 16bit unicode string (NT Password) or a LANMAN password (can't  
> remember the encoding for that).

For those interested how the passwords are made, see the man page for  
smbpasswd(5). e.g.: http://samba.org/samba/docs/man/manpages-3/ 
smbpasswd.5.html

>
> I believe that AD uses NT Password hashes, which is why PEAP just  
> works out of the box with Microsoft IAS. So no MD5/ CHAP won't work  
> with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work  
> just fine.
>
> Thanks,
> Arran
>
>
>> ---------------
>> Barry Dean
>> Networks Team
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
>> list/users.html
>>
>
>
> -- 
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
> Authentication, Authorisation and Accounting Officer
> Infrastructure Services (IT Services) E1-1-08, Engineering 1,  
> University Of Sussex, Brighton
> EXT: +44 1273 873900 | INT: 3900
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841

More information about the Freeradius-Users mailing list