Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method? On 8/18/05, Alan DeKok <aland@ox.org> wrote:
Tim P <panterafreak@gmail.com> wrote:
Ok using these settings it seems to authenticate with radtest ... [root@redguard ~]# radtest user userpass localhost:1812 1 radiussecret
i.e. clear-text password.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
i.e. NO PASSWORD WAS RETURNED BY AD.
rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully
i.e. You're binding to AD as the user.
You are using AD as an "authentication oracle". You hand it bits of information, and it returns yes/no. You are NOT using AD as a database.
These two look to me like they authenticated the user successfully.
Yes. Now try MSCHAP.
In /etc/ppp/options.l2tpd I have .. Is it possible that this will work?
Yes. But you're not getting the password from AD.
As I said: AD will not supply the password. Nothing in what you've posted contradicts that.
Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference?
The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses.
It still complains about the "no cleartext password"
Because, as I've said repeatedly, AD doesn't supply the password to you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html