EAP problem
Michael Brown
mikal at mikro-net.com
Fri Jul 1 03:19:27 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You _cannot_ read the unicodePwd attribute (where the actual passwd
lies) from AD. It can only be written to, and then only under certain
conditions (SSL/TLS connection, and if not written by an admin, then a
delete/add must be performed in the same operation).
This is why you should use ntlm_auth w/PEAP for AD auth. You could be
able to auth against LDAP (PAP) in a TTLS situation (not tried that yet,
so I don't know how it would work), but you will never retrieve the
unicodePwd attribute.
Hope this helps.
Graham, Robert wrote:
>> No. Messages in the past few days have said you can't get passwords
>>from AD. It's impossible.
>
>> You have to use ntlm_auth. See radiusd.conf
>
>> Alan DeKok.
>
> This still doesn't make any since. I have ntlm_auth enable, and it is
> working fine autheniticating our vpn users using ms-chap.
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCxJoekeDzZCV99qsRAnQAAJ4rmfLNi26taKRiUAByJcXCFXPfYwCfbgn9
joaGdjaT02sbjRGDr0nT18E=
=p1sh
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list