Yes I too would like some help with this. This what I am trying to do: 1. authenticate via chap (from chillispot) to freeradius, using unix shadow passwords or pam.. I followed the pam directions and it works fine for pap, but not chap.. 2. also, would like to get it to work via AD (kerberos etc.) A doc on this would be very helpful... Dave
On Mon, 21 Nov 2005, King, Michael wrote:
Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples.
Hi Robin, Welcome to the club.
I would need to use Microsoft IAS. Is this false ? Yes, That particular example used Microsoft IAS, but it is not required.
Are people using Active Directory successfully ? Yes. Besides myself, there are many people on this list that are.
I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well.
You are already 3/4 of the way there, since the trickest part of my freeradius setup was getting winbind to talk to activedirectory
Depending on your Linux distribution, you will just have to install freeradius. (Some distributions like Debian require a -disable-shared)
Go thru the radiusd.conf and the eap.conf files, it's clearly commented on what you need to configure.
You'll see a section marked: ntlm_auth = "/path/to/ntlm_auth ........(Trimmed)
You might need to modify this to: ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Don't hesitate to ask questions. There is a good Howto (unfortuantly, I don't have my bookmarks with me) but some others on the list hopefully will post it.
Yes winbind kerberos stuff works well, and I got it previously working to enable TAC_PLUS to do active directory authentication.
If anyone knows the site with a good howto I would greatly apprecieate it.
Otherwise I am chugging along.
I have gotten the windows program NTRadPing to authenticate non CHAP with a local UNIX account. I am not sure what fields I must enter to get MS-CHAP to test, or if there is even a difference between CHAP and MS-CHAP?
Anyways I fuddled around with a bunch of different combinations and always get this in the logfile
Auth: Login incorrect (rlm_chap: Clear text password not available): - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html