On 28 Jan 2014, at 11:35, Luke Ramsden <lukermsdn@gmail.com> wrote:
I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:
"Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."
Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication...
Stefan's answer was slightly misleading. If you have the Cleartext-Password from the user you can attempt to bind as the user again the AD LDAP interface and use the bind result to determine whether to reject or allow the user. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2