No. Messages in the past few days have said you can't get passwords from AD. It's impossible.
You have to use ntlm_auth. See radiusd.conf
Alan DeKok.
This still doesn't make any since. I have ntlm_auth enable, and it is working fine autheniticating our vpn users using ms-chap.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You _cannot_ read the unicodePwd attribute (where the actual passwd lies) from AD. It can only be written to, and then only under certain conditions (SSL/TLS connection, and if not written by an admin, then a delete/add must be performed in the same operation). This is why you should use ntlm_auth w/PEAP for AD auth. You could be able to auth against LDAP (PAP) in a TTLS situation (not tried that yet, so I don't know how it would work), but you will never retrieve the unicodePwd attribute. Hope this helps. Graham, Robert wrote:
No. Messages in the past few days have said you can't get passwords from AD. It's impossible.
You have to use ntlm_auth. See radiusd.conf
Alan DeKok.
This still doesn't make any since. I have ntlm_auth enable, and it is working fine autheniticating our vpn users using ms-chap.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCxJoekeDzZCV99qsRAnQAAJ4rmfLNi26taKRiUAByJcXCFXPfYwCfbgn9 joaGdjaT02sbjRGDr0nT18E= =p1sh -----END PGP SIGNATURE-----
participants (2)
-
Graham, Robert -
Michael Brown