Re: FreeRADIUS + Microsoft Active Directory
Do I interpret this the right way?. Even if a microsoft active directory allows anonymous queries FreeRADIUS can't authorize using the active directory LDAP because of the password a user entered isn't verified from the LDAP? AP -> RADIUS (Access-Request) -> anonymous Active DIrectory (MS-CHAPv2) -> LDAP says something like "yes" -> RADIUS (Access-Accept) why isn't this possible?
On 08-06-17 10:55, Konstantin Knaab-Hinrichs via Freeradius-Users wrote:
Do I interpret this the right way?. Even if a microsoft active directory allows anonymous queries FreeRADIUS can't authorize using the active directory LDAP because of the password a user entered isn't verified from the LDAP?
AP -> RADIUS (Access-Request) -> anonymous Active DIrectory (MS-CHAPv2) -> LDAP says something like "yes" -> RADIUS (Access-Accept)
why isn't this possible?
Because you need to read the password hashes from the LDAP-server, and that is not allowed (and shouldn't be). Another option is to bind to the LDAP server with the user credentials, but you'd need the plaintext password of the user in the RADIUS packet to make that work (PAP, optionally wrapped in EAP/TTLS) -- Herwin Weststrate
My colleagues and I guessed that FreeRADIUS uses user credentials automatically if no identity is set in mods-available/ldap because we couldn't figure it out based on what's in the freeradius wiki. Where do I recognize that this is the problem when authenticating? reading the radiusd -X output shows me a successful LDAP bind, but everything results in an Access-Reject after no answer from the Microsofft Active Directories LDAP. Maybe it's because of FreeRADIUS doesn't uses user credentials and not the fault of the LDAP... Thanks - I'll try to figure this out.
On Jun 8, 2017, at 11:18 AM, Konstantin Knaab-Hinrichs via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My colleagues and I guessed that FreeRADIUS uses user credentials automatically if no identity is set in mods-available/ldap because we couldn't figure it out based on what's in the freeradius wiki.
FreeRADIUS uses what's available. The debug output shows what's available. If there's a User-Password in the packet, FreeRADIUS can do an LDAP bind. If there's MS-CHAP data in the packet, FreeRADIUS MUST use ntlm to AD.
Where do I recognize that this is the problem when authenticating? reading the radiusd -X output shows me a successful LDAP bind, but everything results in an Access-Reject after no answer from the Microsofft Active Directories LDAP.
Then fix AD so that it responds to LDAP queries. Even if you get the LDAP query wrong, AD *should* respond with "nothing found". That is a different error from "AD doesn't answer". Again. reading the debug output will tell you exactly what's going on. Or, if you don't understand it, post it here. Alan DeKok.
participants (3)
-
Alan DeKok -
Herwin Weststrate -
Konstantin Knaab-Hinrichs