On 03-09-14 18:24, Dennis Xu wrote:
Thanks for the information. So FreeRadius uses LDAP to authenticate against AD
That would be an uncommon setup. You can authenticate via the tool ntlm_auth (which uses RPC over SMB, and is kind of limited to Active Directory and Samba), or you proxy the request and enable the RADIUS-server of Active Directory (I believe it was called NPS).
and LDAP cannot read the passwords in those formats.
No, Alan said you cannot read the passwords via LDAP, that has nothing to do with the format of the stored passwords. But you don't need to read the password in order to authenticate.
Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_sy...
AD stores NT hashes, they are compatible with MSCHAPv2. -- Herwin Weststrate