MS-CHAP, LDAP, ADS

Alan DeKok aland at ox.org
Thu Feb 9 23:28:48 CET 2006


"Elizabeth Palomino" <liz at unixgrrl.net> wrote:
>  I have poked about on google and read several how to's. Is it
> possible using any authentication module ( rlm_pam,rlm_ldap...) To
> authenticate a connection from a client using CHAP or MS-CHAP to an
> Active Directory Server (TM) *cough*.

  MS-CHAP yes, CHAP no.

> LDAP -->ADS
> Error:
> User-Password is Required for authentication. Cannot use "CHAP-Password"

  It's impossible.  See ntlm_auth in radiusd.conf for how to do
MS-CHAP to AD.

> 2) Which is a better way to authenticate? ldap,PAM-->Winbind?

  I would suggest not using PAM.

> 3) Can I use the ntlm_auth line with the chap 

  No.

> 4) I have read about peap and eap. Perhaps this would work?

  No.

> What I am trying to avoid is having password transmitted clear text
> over the network. Is there perhaps a better Solution?

  RADIUS doesn't send the password in clear text over the network.

  Alan DeKok.



More information about the Freeradius-Users mailing list