Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide. thanks, josh.
Hi Josh, nice to see you also on this list :-)
Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide.
If you want to authenticate against AD and have PAP credentials available, just treat the AD server like an LDAP server, i.e.: the ldap {} section is for you. It will use the credentials to bind as the user to AD, and if that succeeds the user is allowed in. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Hi Stefan, We probably need a freeradius-eduroam list :-)
Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide.
If you want to authenticate against AD and have PAP credentials available, just treat the AD server like an LDAP server, i.e.: the ldap {} section is for you. It will use the credentials to bind as the user to AD, and if that succeeds the user is allowed in.
I didn't realise that AD allowed authenticated binds from users by default. Does it require some special tweaking? Our AD admin are *very* cautious about who talks to it... (probably very sensible). best regards, josh.
Hi Josh, So long as the user is a valid user, it can be used to do the bind, AFAIK. I used to do this at the office. Our AD Admins created a special account with a non-expiring password but no other special privileges to authenticate the search/bind and that worked fine. We used to use EAP-TTLS/PAP for wireless login. We also used the GINA module in the 802.1x supplicant we had to authenticate prior to completion of windows login so that login scripts worked properly too :-) Rgds, Guy On 15/02/06, Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
Hi Stefan,
We probably need a freeradius-eduroam list :-)
Is it possible to authenticate PAP credentials from the NAS against a Windows domain using NTLM? I've tried using the mschap module, but it expects to see a Challenge that the NAS doesn't provide.
If you want to authenticate against AD and have PAP credentials available, just treat the AD server like an LDAP server, i.e.: the ldap {} section is for you. It will use the credentials to bind as the user to AD, and if that succeeds the user is allowed in.
I didn't realise that AD allowed authenticated binds from users by default. Does it require some special tweaking? Our AD admin are *very* cautious about who talks to it... (probably very sensible).
best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Guy Davies -
Josh Howlett -
Stefan Winter