Oh, I am sorry, I missed that important detail. Then you are out of luck, as compatibility.html indicates. Cheers, Eloy Paris.- On 09/03/2014 12:26 PM, Dennis Xu wrote:
Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But my problem is that our AD does not store passwords in NT hash format. They use SHA1 hash or crypt'd format.
Dennis
----- Original Message ----- From: "Eloy Paris" <peloy@chapus.net> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:26 PM Subject: Re: Limitation of authenticating against AD
On 09/03/2014 11:52 AM, Dennis Xu wrote:
Hello,
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Take a look at:
http://deployingradius.com/documents/configuration/active_directory.html
You need to configure your FreeRADIUS server to use ntlm_auth precisely because FreeRADIUS does not have access to the cleartext passwords of Active Directory users.
Cheers,
Eloy Paris.-