On Feb 10, 2025, at 7:20 PM, Adnan RIHAN <axel50397@gmail.com> wrote:
It works great, users and computers are members of the AD, so it’s using mschapv2 and ntlm_auth.
That's good.
Now, I would like to setup a hotspot on mikrotik to authenticate the users to the same Samba AD, the thing is, Mikrotik only supports CHAP and PAP. As far as I understand, Samba AD only supports mschapv2 so it seems I’m stuck with PAP as the common mechanism. Am I right ?
If the RADIUS server receives User-Password (ie. PAP),then you can skip ntlm_auth, and just verify the password directly via the LDAP module. See mods-available/ldap for more information.
If so, as I’m still using the default site, is there a guide to use ntlm_auth with PAP as a fallback mechanism if mschap and eventually chap (keeping it just in case I can use it for something else later) fail? Or do you guys have a better idea for my needs please?
You don't configure a "fallback" mechanism. The server receives either PAP or MS-CHAP, and then authenticates the user. You should set it up so that PAP requests get authenticated via LDAP, and MS-CHAP requests use ntlm_auth. Alan DeKok.