Mischa Diehm wrote:
For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth.
You're missing the point. Active Directory does *not* give a password to FreeRADIUS, so that FreeRADIUS can do the authentication. For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth. It doesn't matter if you think it's complex. It's the ONLY choice.
Using it for group-validation is a different story and could - for us - be very handy since our Groups are defined and stored in AD and haven't found their way into LDAP yet. So I was looking for a way to achieve that.
For group lookups, AD is just an LDAP server. That works.
"During authentication, AuthBy ADSI check and honours AccountDisabled, IsAccount- Locked and LoginHours for the user being authenticated. It also checks the users pass- word (by attempting to change it). Because Active Directory does not make the plaintext password available, <AuthBy ADSI> only supports PAP, not CHAP or MSCHAP authentication."
Yes.... FreeRADIUS can do "Auth-Type := LDAP" with PAP authentication to AD. You don't need ntlm_auth for that.
This would not be usable in case of eduroam (restrictions you guys already mentioned concerning AD as LDAP equivalent) but in almost all of our other use cases where we have the Password transmitted.
The use Auth-Type := LDAP.
Has this been looked at or event implemented within freeradius?
Yes... we've been doing this for 15 years.
Maybe it's already possible to use this with the LDAP module?
Yes, for User-Password in the Access-Request. Alan DeKok.