Hello everyone,
I would like to receive some help on authentication
with AD using CHAP Passwords. I´ve already configured the radius (v 2.1.6) to
authenticate in the AD (Microsoft) using LDAP and clear-text passwords, until
now it works perfectly, but in the radius debug appear the following message:
“rad_recv:
Access-Request packet from host 192.168.0.100 port 64871, id=7, length=50
User-Name =
"1000700025"
User-Password =
"123456"
+- entering group authorize
{...}
++[preprocess] returns ok
[suffix] No '@' in User-Name
= "1000700025", looking up realm NULL
[suffix] No such realm
"NULL"
++[suffix] returns noop
[ldap] performing user
authorization for 1000700025
[ldap] WARNING: Deprecated
conditional expansion ":-". See "man unlang" for details
[ldap] expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=1000700025)
[ldap] expand: dc=pedagogico,dc=net -> dc=pedagogico,dc=net
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to
172.17.16.4:389, authentication 0
rlm_ldap: bind as
wni@pedagogico.net/wni@2009 to 172.17.16.4:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search
in dc=pedagogico,dc=net, with filter (sAMAccountName=1000700025)
[ldap] looking for check
items in directory...
[ldap] looking for reply
items in directory...
č WARNING: No
"known good" password was found in LDAP. Are you sure that the user
is configured correctly? į
[ldap] Setting Auth-Type =
LDAP
[ldap] user 1000700025
authorized to use remote access
rlm_ldap: ldap_release_conn:
Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by
"1000700025" with password "123456"
[ldap] user DN: CN=LUIZ RICARDO DE VILLA SCANDELARI,OU=Users,OU=UNIFAE,OU=Users
and Computers,DC=PEDAGOGICO,DC=NET
rlm_ldap: (re)connect to
172.17.16.4:389, authentication 1
rlm_ldap: bind as CN=LUIZ RICARDO DE VILLA
SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and
Computers,DC=PEDAGOGICO,DC=NET/123456 to 172.17.16.4:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was successful
[ldap] user 1000700025
authenticated succesfully
++[ldap] returns ok
+- entering group post-auth
{...}
++[exec] returns noop
Sending Access-Accept of id 7
to 192.168.0.100 port 64871
Finished request 0.”
I suppose that happens because I cannot
read the AD user password, right? The important is that works with LDAP authentication.
The problem is that I have a system that sends Access-Requests with Username
and CHAP-Passwords (CoovaChilli), so radius authorize the user but cannot
authenticate it.
I´ve already read the Allan´s webpage (http://deployingradius.com/documents/configuration/active_directory.html)
about integration of AD and RADIUS but I still have some questions. Can I use
CHAP with SAMBA ntlm_auth method or should i need to change the password
encryption to another protocol such as PAP or MS-CHAP? If I modify the
coovachilli to send PAP passwords, am I going to be able to use ldap for authorization
and authentication or do I need just plain?
I hope somebody can help me.
Thanks,
LUIZ GUSTAVO SCANDELARI
Skype: luiz.gustavo.wni