I have experimented with using LDAP bind before and encountered problems (see link below). One of the responses on the thread said I must use MSCHAPv2 if I do not have plaintext passwords in AD - which I do not:

         "Unless you are storing passwords in Active Directory in plain text or you want to use Kerberos authentication, you will have to use MSCHAPv2 (or its EAP equivalent, EAP-MSCHAPv2)."

Previous thread relating to LDAP auth: http://freeradius.1045715.n5.nabble.com/LDAP-Active-Directory-Authentication-Issue-td5724001.html#a5724014

Is this correct? Must I use MSCHAPv2? If so, I guess that goes back to my original question.

Many thanks
-Luke


On Tue, Jan 28, 2014 at 10:22 AM, arr2036 [via FreeRADIUS] <ml-node+s1045715n5724717h88@n5.nabble.com> wrote:

On 28 Jan 2014, at 09:50, Luke Ramsden <[hidden email]> wrote:

> I have my shared secrets set in clients.conf and then on the cisco switch
> using the 'radius-server' command:
> http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html#wp1001000
>
> Is this hard-coded approach incorrect? When I view the radiusd -X output
> for a PAP request I dont have to get the shared secret right as its already
> there. Hope that makes sense.

Yes, it's fine to hardcode your shared secrets.
Yes, you'll see the cleartext password if running in debugging mode.

Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (899 bytes) Download Attachment



If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/SSH-Logins-to-Cisco-Switch-RADIUS-Active-Directory-tp5724701p5724717.html
To unsubscribe from Users, click here.
NAML