If you're using AD, plaintext (PAP) authentication, and are wanting to restrict the users to a certain OU, you should probably use the rlm_ldap module. That way you can set the base search DN to your Cisco Admins OU. It'll probably be a little easier to use and set up, too, than the Kerberos module. --Mike On Jun 19, 2006, at 11:12 AM, Doug White wrote:
Alan,
Thanks for your reply. Is the plain text kerberos check something that gets configured in the radiusd.conf file? I was hoping to create a OU in AD called Cisco Admins and then have FreeRADIUS authenticate against those user names and passwords. I was told in another post that according to the radiusd -X output FreeRADIUS was attempting to check another location where no user names or passwords were setup.
Thanks again,
Doug
-----Original Message----- From: freeradius-users-bounces +dwhite=infosysnetworks.com@lists.freeradius.org on behalf of A.L.M.Buxey@lboro.ac.uk Sent: Fri 6/16/2006 1:25 PM To: FreeRadius users mailing list Subject: Re: Active Directory Integration with FreeRADIUS - NTLM_Auth
hi,
the guide you are following - using ntlm_auth against AD, binding into AD etc is really geared up for doing EAP (PEAP MSCHAPv2 in particular) what _you_ are attempting to do with RADIUS for login authentication of the cisco switches/routers involves plaintext passwords...int his case you'd want to use a kerberos check against your AD instead
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
<winmail.dat> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html