Greetings, I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are: Can I use any of them? If yes, could you send me helpful links about how to use Kerberos 5 and LDAP? Which one is the most recommended and why? You may have noticed that I have posted several questions these days and I really appreciate your help! Now I am really a fan of FreeRadius. I really want to learn it well and understand what it's capable of. I am a Cisco guy and I have some Linux experience but no programming experience. Can any of you recommend me a book about how to use FreeRadius? I think that will stop me asking stupid questions... Thank you! Difan Zhao Network Engineer difan.zhao@guest-tek.com www.guest-tek.com <http://www.guest-tek.com/> Office: 403-509-1010 ext 3048 Cell: 403-689-7514
I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are:
Can I use any of them?
No. Kerberos requires clear password in radius request, so it can't be used with peap. AD is sort of a (deliberately) broken ldap server. It won't pass the clear text password to non-Windows radius server - only to IAS. So you can't use AD as ldap for peap either. ntlm_auth it is. Ivan Kalik
participants (2)
-
Difan Zhao -
tnt@kalik.net