Thanks for the information. So FreeRadius uses LDAP to authenticate against AD and LDAP cannot read the passwords in those formats. Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_sy... Dennis ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 3, 2014 12:01:53 PM Subject: Re: Limitation of authenticating against AD Dennis Xu wrote:
I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?
No. AD stores it's passwords in NT-Hash format. And it does NOT allow FreeRADIUS (or anyone) to read those passwords via LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
Is the above link still up-to-date?
Yes. Alan DeKok.