FreeRADIUS and Active Directory

tnt at kalik.net tnt at kalik.net
Thu Feb 19 11:33:21 CET 2009


>I believe I did all I had to enable my freeradius server to chat to
>windows AD
>
>
>I did changes to my FreeRADIUS configuration according
>http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

I have news for you - you haven't done any of this:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf

> Module: Instantiating mschap
>  mschap {
>	use_mppe = yes
>	require_encryption = no
>	require_strong = no
*>	with_ntdomain_hack = no*
>  }

Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:

>[mschapv2] +- entering group MS-CHAP {...}
>[mschap]   NT Domain delimeter found, should we have enabled with_ntdomain_hack?

Server asks about the hack.

>[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
>[mschap] FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject

And it isn't using ntlm_auth.

You have an updated manual (relevant to freeradius 2.x) at:

http://deployingradius.com/documents/configuration/active_directory.html

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list