VS: Chap auhtentication against LDAP
Hi, So i cannot do this about using freeradius, but i can make it using IAS (see link)? http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=u... Br, Ville -----Alkuperäinen viesti----- Lähettäjä: freeradius-users-bounces+ville.leinonen=solodel.com@lists.freeradius.org puolesta: Alan DeKok Lähetetty: pe 3.4.2009 16:10 Vastaanottaja: FreeRadius users mailing list Aihe: Re: Chap auhtentication against LDAP Ville Leinonen wrote:
Does Freeradius 2.1.5 support chap authentication against ldap?
No RADIUS server supports this. It's impossible. Instead, have FreeRADIUS pull the clear-text password from LDAP. FreeRADIUS can then do CHAP. If you don't have a clear-text password in LDAP, it's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ville Leinonen wrote:
So i cannot do this about using freeradius, but i can make it using IAS (see link)?
No. You seemed to have misunderstood my response. Let me say it a different way: LDAP servers cannot do CHAP authentication. Why? Because LDAP servers are *DATABASES*. LDAP servers are not *authentication* servers. FreeRADIUS is an *AUTHENTICATION* server. Configure FreeRADIUS so that it pulls the clear-text password from LDAP. FreeRADIUS will then do CHAP authentication. If you don't have a clear-text password in LDAP, then doing CHAP authentication is impossible. It is impossible with FreeRADIUS, IAS, Cisco ACS, Juniper SBR, Radiator, and also with every other RADIUS server on the planet. And go read my web page: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
So i cannot do this about using freeradius, but i can make it using IAS (see link)?
http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=u...
But that's not LDAP, that's Active Directory. Active Directory can be made to reveal a clear text password to IAS (setting needs to be activated *before* you start storing passwords in it; if AD passwords are stored only in nt format, and you then enable this - CHAP still won't work: it will work *after* next password change - AD will store both clear and nt version of the new password). Microsoft does not allow this for third party radius servers. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
tnt@kalik.net -
Ville Leinonen