RADIUS Auth-Type

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 6 20:24:31 CET 2005


Bohannan, Chad W wrote:
>>> You cannot set the Auth-Type to "MS-CHAP" and have it work unless the 
>>> MS-CHAP challenge and response are in the radius request, which means 
>>> the NAS has to add them.
> - 
> .....so is there not a way to have FR proxy request out to the AD
> server? 

There is not an obvious easy way of using the "ntlm_auth" helper with 
the plaintext user/password in PAP, though it may be possible using the 
"exec" module.

PAP requests can be authenticated by doing an LDAP simple bind to an AD 
server I believe (I've never done it). The "doc/rlm_ldap" file seems to 
describe most of what's required:

"""When rlm_ldap has found the DN corresponding to the username provided 
in the access-request (all this happens in the authorize section) it 
will add an Ldap-UserDN attribute in the check items list containing 
that DN. The attribute will be searched for in the authenticate section 
and if present will be used for authentication (ldap bind with the user 
DN/password). Otherwise..."""

Which sounds to me like you should be able to put an (appropriately 
configured) "ldap" in authorize and authenticate and it will just work(tm).

One thing I do know is that AD REQUIRES that you bind as some user (e.g. 
a service account) first before searching for the actual user. Most 
likely an appropriate config for you would look like the default config 
with appropriate entries, and an "identiay" and "password" defined (and 
probably with access_attr commented out).

But I haven't use it. That said, there are a lot of recent posts about 
AD and LDAP, so one of them may contain fuller details.



More information about the Freeradius-Users mailing list