Issues authenticating vs 2003 AD

[Alan DeKok]

Tim P <panterafreak at gmail.com> wrote:
> Ok using these settings it seems to authenticate with radtest
...
> [root at redguard ~]# radtest user userpass localhost:1812 1 radiussecret

  i.e. clear-text password.

> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...

  i.e. NO PASSWORD WAS RETURNED BY AD.

> rlm_ldap: bind as CN=Tim
> Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> gtds-domcon.gtdsolutions.org:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user tporritt authenticated succesfully

  i.e. You're binding to AD as the user.

  You are using AD as an "authentication oracle".  You hand it bits of
information, and it returns yes/no.  You are NOT using AD as a database.

> These two look to me like they authenticated the user successfully.  

  Yes.  Now try MSCHAP.

> In /etc/ppp/options.l2tpd  I have
..
> Is it possible that this will work?

  Yes.  But you're not getting the password from AD.

  As I said: AD will not supply the password.  Nothing in what you've
posted contradicts that.

> Just looking for a way (and preferably and example) of the
> authentication vs AD since I don't seem to understand how to do it.  I
> have looked in radius.conf and enabled the ntlm authentication but it
> seems to insist upon using chap and not mschap-v2, is there a
> difference?

  The client asks for CHAP, so that's what the RADIUS server sees.
The RADIUS server DOES NOT, and CAN NOT change the authentication
method the client uses.

>   It still complains about the "no cleartext password"

  Because, as I've said repeatedly, AD doesn't supply the password to
you.

  Alan DeKok.