Hi, From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Dienstag, 25. März 2014 21:55 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP and/or Active Directory
Mischa Diehm wrote:
For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth.
You're missing the point. Active Directory does *not* give a password to FreeRADIUS, so that FreeRADIUS can do the authentication.
For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth. It doesn't matter if you think it's complex. It's the ONLY choice.
Thanks for the clarification. My main intent wasn't to make PEAP/MS-CHAP work but to have PAP work with AD. Now after some more reading and discussion I'm quite confident it is possible to sync sambaNTPassword to the global catalog of AD (which we use also use in the PAP auth) and have things aligned and in a way that is actually less complex and less slow using the ldap module. I will be testing this in the near future. In a private discussion with a list member I was told that PAP is much less secure than using MSCHAPv2 but I disagree with this argument. No gain in terms of security when using MSCHAPv2. Both need a secure transport layer. Summing this up I think the lesson learned - at least for me - is that it doesn't really matter if you have AD or LDAP as a backend store. You can have the full flexibility with both backends. Mischa