Limitation of authenticating against AD

Wang, Yu ywang10 at fsu.edu
Wed Sep 3 22:40:21 CEST 2014


> But  my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format.

Bind users to AD as Active Directory is a combo of Kerberos and ldap. It allows ldap bind. Alternatively, you can use EAP-TTLS and Kerberos. Or you can use AD's certificate authority and issue certificates to users and use EAP-TLS to do authentication. 

Yu

-----Original Message-----
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Dennis Xu
Sent: Wednesday, September 03, 2014 12:27 PM
To: Eloy Paris
Cc: FreeRadius users mailing list
Subject: Re: Limitation of authenticating against AD

Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But  my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format. 



Dennis

----- Original Message -----
From: "Eloy Paris" <peloy at chapus.net>
To: dxu at uoguelph.ca, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 3, 2014 12:01:26 PM
Subject: Re: Limitation of authenticating against AD

On 09/03/2014 11:52 AM, Dennis Xu wrote:

> Hello,
>
> I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Is the above link still up-to-date?

Take a look at:

http://deployingradius.com/documents/configuration/active_directory.html

You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users.

Cheers,

Eloy Paris.-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list