NTLM, Kerberos 5 or LDAP
tnt at kalik.net
tnt at kalik.net
Wed Dec 23 02:08:21 CET 2009
> I am trying to authenticate my network against Windows 2003 Active
> Directory. With help from Ivan Kalik, I was able to use NTLM to
> communicate with Windows 2003 server and authenticate EAP clients. On
> the EAP side I am using PEAP since they are mostly windows XP clients
> and I don't think there is another choice (please correct me if I am
> wrong). However on the Radius server side, I seem to have options. It
> seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with
> Windows Domain Controller. So my questions are:
>
>
>
> Can I use any of them?
No. Kerberos requires clear password in radius request, so it can't be
used with peap. AD is sort of a (deliberately) broken ldap server. It
won't pass the clear text password to non-Windows radius server - only to
IAS. So you can't use AD as ldap for peap either. ntlm_auth it is.
Ivan Kalik
More information about the Freeradius-Users
mailing list