Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]

[Dusty Doris]

> So, the question again is if the VPN Concentrator is only sending
> username and password, do I need ntml_auth or ms-chap? FreeRADIUS
> doesn't have any usernames and password and will query Active Directory
> for the actual authentication.
>
> Thanks,
>

If the packet is merely containing plaintext username and password, then 
you can probably just use rlm_ldap against AD and hit it directly.  Just 
need to setup a user with read access to the directory to do the initial 
bind with and search of the user for authorization.  Then the user will be 
authenticated by doing a bind against AD with the username/password in the 
packet.

BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, 
although its openldap instead of AD.  To pass back the class attribute, 
you must modify ldap.attrmap and specify the reply item of Class to match 
what you call it in the directory.

eg:

replyItem	Class	radiusClass

Then in the directory, you have

dn: cn=someuser,...
...
radiusClass: "OU=myvpngroup;"

So, for AD, you'll need to extend the schema and add an attribute for 
this.  Or if you already have something that you can use, just modify 
ldap.attrmap to know what it is.

-Dusty Doris